Edit tour
Windows
Analysis Report
Keys4Us_Office_2024_DE_64Bits.exe
Overview
General Information
| Sample name: | Keys4Us_Office_2024_DE_64Bits.exe |
| Analysis ID: | 1670034 |
| MD5: | 08ca1b53e72fc0e41fdd9a63f3c51577 |
| SHA1: | fa91f58ccaacdc2b3486834d80bc846dfaf02d72 |
| SHA256: | ca3d6db83232f9e5f79f6ba2a78263172e163da11e8233bef1c961a15da5af3f |
| Tags: | Keys4Us_Office_2024_DE_64 |
 | |
Detection
| Score: | 1 |
| Range: | 0 - 100 |
| Confidence: | 40% |
Signatures
Allocates memory with a write watch (potentially for evading sandboxes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains sections with non-standard names
Uses 32bit PE files
Classification
- System is w10x64
Keys4Us_Office_2024_DE_64Bits.exe (PID: 7624 cmdline: "C:\Users\ user\Deskt op\Keys4Us _Office_20 24_DE_64Bi ts.exe" MD5: 08CA1B53E72FC0E41FDD9A63F3C51577)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Malware Analysis System Evasion
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Static PE information: | ||
| Source: | Classification label: | ||
| Source: | Static PE information: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 Virtualization/Sandbox Evasion | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
| Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | LSASS Memory | 1 Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
| Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | 1 File and Directory Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
| Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | 1 System Information Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 5% | ReversingLabs | |||
| 1% | Virustotal | Browse |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Avira URL Cloud | safe |
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high |
⊘No contacted IP infos
| Joe Sandbox version: | 42.0.0 Malachite |
| Analysis ID: | 1670034 |
| Start date and time: | 2025-04-21 03:24:53 +02:00 |
| Joe Sandbox product: | CloudBasic |
| Overall analysis duration: | 0h 3m 55s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Run name: | Potential for more IOCs and behavior |
| Number of analysed new started processes analysed: | 11 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample name: | Keys4Us_Office_2024_DE_64Bits.exe |
| Detection: | CLEAN |
| Classification: | clean1.winEXE@1/0@0/0 |
| Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, s ppsvc.exe, SIHClient.exe, Sgrm Broker.exe, conhost.exe, svcho st.exe - Excluded IPs from analysis (wh
itelisted): 184.29.183.29, 4.2 45.163.56, 20.190.190.195 - Excluded domains from analysis
(whitelisted): fs.microsoft.c om, ocsp.digicert.com, slscr.u pdate.microsoft.com, login.liv e.com, ctldl.windowsupdate.com , c.pki.goog, fe3cr.delivery.m p.microsoft.com - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtOpenKeyEx calls foun d. - Report size getting too big, t
oo many NtProtectVirtualMemory calls found. - Report size getting too big, t
oo many NtQueryValueKey calls found.
⊘No simulations
⊘No context
⊘No context
⊘No context
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 7.9565106457565795 |
| TrID: |
|
| File name: | Keys4Us_Office_2024_DE_64Bits.exe |
| File size: | 2'939'800 bytes |
| MD5: | 08ca1b53e72fc0e41fdd9a63f3c51577 |
| SHA1: | fa91f58ccaacdc2b3486834d80bc846dfaf02d72 |
| SHA256: | ca3d6db83232f9e5f79f6ba2a78263172e163da11e8233bef1c961a15da5af3f |
| SHA512: | 5a413fb56c93e44e1b7a2e54b09e7a3afc52a87e058458b886e3d209975e6ff17ae5c2981ff643ee91e625c1a6fd4d525473b5f2d5f8b989920f8ecd9e5ddbf9 |
| SSDEEP: | 49152:esv2dypEIJFS6G/9nQ0Ra15r80+qRnmMbYgtLg93bBhYo0Z043k17t6OXoCiR:esO4WuFSH9nQ0wF+snmMpLgdwo0ZcxVO |
| TLSH: | 57D52353B3C080B2D4712B315A79DA50517DBC941F72CBEF63E6A82ED6205D28B32B97 |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W...6...6...6....V..6....T.'6....U..6..)MZ..6..)M...6..)M...6..)M...6...N$..6...N4..6...6...7..'M...6..'M...6..'MX..6..'M...6. |
 | |
| Icon Hash: | 1515d4d4442f2d2d |
| Entrypoint: | 0x421d50 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x651BC7F7 [Tue Oct 3 07:51:19 2023 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 1 |
| File Version Major: | 5 |
| File Version Minor: | 1 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 1 |
| Import Hash: | 75e9596d74d063246ba6f3ac7c5369a0 |
| Signature Valid: | true |
| Signature Issuer: | CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB |
| Signature Validation Error: | The operation completed successfully |
| Error Number: | 0 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | 3C035689BFBECA75B4597E7128821FA4 |
| Thumbprint SHA-1: | E727ACE05DAA6F7550AA02F639E885003F1A1538 |
| Thumbprint SHA-256: | 5511E784533E07EF2C421E48E01E0BF724A61F3701372608B84258FDA126DE78 |
| Serial: | 1CC828BC7B93110966A92D5F20111E7B |
| Instruction |
|---|
| call 00007FF3BCB548ABh |
| jmp 00007FF3BCB5425Dh |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| push 00424F20h |
| push dword ptr fs:[00000000h] |
| mov eax, dword ptr [esp+10h] |
| mov dword ptr [esp+10h], ebp |
| lea ebp, dword ptr [esp+10h] |
| sub esp, eax |
| push ebx |
| push esi |
| push edi |
| mov eax, dword ptr [0044277Ch] |
| xor dword ptr [ebp-04h], eax |
| xor eax, ebp |
| push eax |
| mov dword ptr [ebp-18h], esp |
| push dword ptr [ebp-08h] |
| mov eax, dword ptr [ebp-04h] |
| mov dword ptr [ebp-04h], FFFFFFFEh |
| mov dword ptr [ebp-08h], eax |
| lea eax, dword ptr [ebp-10h] |
| mov dword ptr fs:[00000000h], eax |
| ret |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| int3 |
| mov ecx, dword ptr [ebp-10h] |
| mov dword ptr fs:[00000000h], ecx |
| pop ecx |
| pop edi |
| pop edi |
| pop esi |
| pop ebx |
| mov esp, ebp |
| pop ebp |
| push ecx |
| ret |
| push ebp |
| mov ebp, esp |
| sub esp, 0Ch |
| lea ecx, dword ptr [ebp-0Ch] |
| call 00007FF3BCB46981h |
| push 0043F388h |
| lea eax, dword ptr [ebp-0Ch] |
| push eax |
| call 00007FF3BCB56DD5h |
| int3 |
| jmp 00007FF3BCB58CA8h |
| push ebp |
| mov ebp, esp |
| and dword ptr [00466078h], 00000000h |
| sub esp, 24h |
| or dword ptr [004427B0h], 01h |
| push 0000000Ah |
| call dword ptr [004361D0h] |
| test eax, eax |
| je 00007FF3BCB54592h |
| and dword ptr [ebp-10h], 00000000h |
| xor eax, eax |
| push ebx |
| push esi |
| push edi |
| xor ecx, ecx |
| lea edi, dword ptr [ebp-24h] |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x405c0 | 0x34 | .rdata |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x405f4 | 0x50 | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x68000 | 0xdff8 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x2cb220 | 0x2978 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x76000 | 0x255c | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x3e3b0 | 0x54 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x388b0 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x36000 | 0x278 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x3fa9c | 0x120 | .rdata |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x345cc | 0x34600 | b7a8b04ab2248443b05e8133fb3a9064 | False | 0.5887343377088305 | data | 6.708390817791953 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x36000 | 0xb410 | 0xb600 | a418919d63b67e937555eec95d3b6bcb | False | 0.45409083104395603 | Applesoft BASIC program data, first line number 4 | 5.215945456388312 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0x42000 | 0x24758 | 0x1200 | d8d5c95192b51ddad1857caa38e7daa9 | False | 0.4049479166666667 | data | 4.078919796039023 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .didat | 0x67000 | 0x1a4 | 0x200 | ee74a17c4eeb586c9811481b77498b43 | False | 0.4609375 | data | 3.5194570553957747 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0x68000 | 0xdff8 | 0xe000 | 24f6d0ec8c14a78cfe04f16467fb2928 | False | 0.6373465401785714 | data | 6.638693022127744 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x76000 | 0x255c | 0x2600 | 699c6b2b1b2acad2d0f219d9328713af | False | 0.783203125 | data | 6.6660836278877325 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| PNG | 0x68650 | 0xb45 | PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced | English | United States | 1.0027729636048528 |
| PNG | 0x69198 | 0x15a9 | PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced | English | United States | 0.9363390441839495 |
| RT_ICON | 0x6a748 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors | English | United States | 0.47832369942196534 |
| RT_ICON | 0x6acb0 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors | English | United States | 0.5410649819494585 |
| RT_ICON | 0x6b558 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors | English | United States | 0.4933368869936034 |
| RT_ICON | 0x6c400 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m | English | United States | 0.5390070921985816 |
| RT_ICON | 0x6c868 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m | English | United States | 0.41393058161350843 |
| RT_ICON | 0x6d910 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m | English | United States | 0.3479253112033195 |
| RT_ICON | 0x6feb8 | 0x3d71 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9809269502193401 |
| RT_DIALOG | 0x74588 | 0x286 | data | English | United States | 0.5092879256965944 |
| RT_DIALOG | 0x74358 | 0x13a | data | English | United States | 0.60828025477707 |
| RT_DIALOG | 0x74498 | 0xec | data | English | United States | 0.6991525423728814 |
| RT_DIALOG | 0x74228 | 0x12e | data | English | United States | 0.5927152317880795 |
| RT_DIALOG | 0x73ef0 | 0x338 | data | English | United States | 0.45145631067961167 |
| RT_DIALOG | 0x73c98 | 0x252 | data | English | United States | 0.5757575757575758 |
| RT_STRING | 0x74f68 | 0x1e2 | data | English | United States | 0.3900414937759336 |
| RT_STRING | 0x75150 | 0x1cc | data | English | United States | 0.4282608695652174 |
| RT_STRING | 0x75320 | 0x1b8 | data | English | United States | 0.45681818181818185 |
| RT_STRING | 0x754d8 | 0x146 | data | English | United States | 0.5153374233128835 |
| RT_STRING | 0x75620 | 0x46c | data | English | United States | 0.3454063604240283 |
| RT_STRING | 0x75a90 | 0x166 | data | English | United States | 0.49162011173184356 |
| RT_STRING | 0x75bf8 | 0x152 | data | English | United States | 0.5059171597633136 |
| RT_STRING | 0x75d50 | 0x10a | data | English | United States | 0.49624060150375937 |
| RT_STRING | 0x75e60 | 0xbc | data | English | United States | 0.6329787234042553 |
| RT_STRING | 0x75f20 | 0xd6 | data | English | United States | 0.5747663551401869 |
| RT_GROUP_ICON | 0x73c30 | 0x68 | data | English | United States | 0.7019230769230769 |
| RT_MANIFEST | 0x74810 | 0x753 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.3957333333333333 |
| DLL | Import |
|---|---|
| KERNEL32.dll | GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetTimeFormatW, GetDateFormatW, LocalFree, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapReAlloc, HeapAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage |
| OLEAUT32.dll | SysAllocString, SysFreeString, VariantClear |
| gdiplus.dll | GdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
| Target ID: | 0 |
| Start time: | 21:25:48 |
| Start date: | 20/04/2025 |
| Path: | C:\Users\user\Desktop\Keys4Us_Office_2024_DE_64Bits.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xe80000 |
| File size: | 2'939'800 bytes |
| MD5 hash: | 08CA1B53E72FC0E41FDD9A63F3C51577 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | false |
⊘No disassembly
