Windows Analysis Report file.exe

Contains functionality for read data from the clipboard

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00412408 FindFirstFileW,Sleep,FindNextFileW,FindClose,	1_2_00412408
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00438877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_00438877
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0040280D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003F399B GetFileAttributesW,FindFirstFileW,FindClose,	1_2_003F399B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003F1A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_003F1A73
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0041CAE7 FindFirstFileW,FindNextFileW,FindClose,	1_2_0041CAE7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	1_2_0040BCB3
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0041DE7C FindFirstFileW,FindClose,	1_2_0041DE7C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040BF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_0040BF17

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00402285 InternetQueryDataAvailable,InternetReadFile,

1_2_00402285

Source: file.exe	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: file.exe	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: file.exe	String found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
Source: file.exe	String found in binary or memory: http://crl.globalsign.net/primobject.crl0N
Source: file.exe	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: file.exe	String found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
Source: file.exe	String found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
Source: file.exe	String found in binary or memory: http://www.autoitscript.com/autoit3/0
Source: file.exe	String found in binary or memory: http://www.globalsign.net/repository/0
Source: file.exe	String found in binary or memory: http://www.globalsign.net/repository/03
Source: file.exe	String found in binary or memory: http://www.globalsign.net/repository09

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0041A0FC OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0041A0FC OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0042D8E9 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,

1_2_0042D8E9

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_004042E1 GetParent,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,PostMessageW,PostMessageW,

1_2_004042E1

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0043C7D6 SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

1_2_0043C7D6

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003F1BD5: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

1_2_003F1BD5

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00406219 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

1_2_00406219

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003F33A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,

1_2_003F33A3

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003DA137	1_2_003DA137
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003D2136	1_2_003D2136
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003E427D	1_2_003E427D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040F3A6	1_2_0040F3A6
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040655F	1_2_0040655F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003D2508	1_2_003D2508
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003C35F0	1_2_003C35F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003C98F0	1_2_003C98F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003CF730	1_2_003CF730
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003D3721	1_2_003D3721
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003E088F	1_2_003E088F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003C98F0	1_2_003C98F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003D28F0	1_2_003D28F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003DC8CE	1_2_003DC8CE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003D1903	1_2_003D1903
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0043EA2B	1_2_0043EA2B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040EACF	1_2_0040EACF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003E3BA1	1_2_003E3BA1
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00402D2D	1_2_00402D2D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003D1D98	1_2_003D1D98
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003E0DE0	1_2_003E0DE0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040CE8D	1_2_0040CE8D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00404EB7	1_2_00404EB7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003E1F2C	1_2_003E1F2C

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 003D14F7 appears 36 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004059E6 appears 65 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 003D6B90 appears 39 times

Sample file is different than original file name gathered from version info

Source: file.exe, 00000001.00000000.1843449360.000000000046B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewritelJ vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamewritelJ vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal52.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0040AEE3 GetLastError,FormatMessageW,

1_2_0040AEE3

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003F33A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		1_2_003F33A3
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00424AEB OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,		1_2_00424AEB

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0041D606 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,

1_2_0041D606

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0043557E CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,

1_2_0043557E

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0042E0F6 CoInitialize,CoCreateInstance,CoUninitialize,

1_2_0042E0F6

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003F3044 __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

1_2_003F3044

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: file.exe

ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: assignedaccessruntime.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: structuredquery.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.search.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: networkexplorer.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{725F645B-EAED-4fc5-B1C5-D9AD0ACCBA5E}\InProcServer32

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\MsftEdit.dll

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Window detected: Number of UI elements: 13

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003CEE30 LoadLibraryA,GetProcAddress,

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004221AF push edi; ret	1_2_004221B1
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003ED53C push 74003ECFh; iretd	1_2_003ED541
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003D6BD5 push ecx; ret	1_2_003D6BE8

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0043A2EA IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		1_2_0043A2EA
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003F43FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,		1_2_003F43FF

Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\file.exe

Window / User API: foregroundWindowGot 704

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\file.exe

API coverage: 1.1 %

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00412408 FindFirstFileW,Sleep,FindNextFileW,FindClose,	1_2_00412408
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00438877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_00438877
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0040280D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003F399B GetFileAttributesW,FindFirstFileW,FindClose,	1_2_003F399B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003F1A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_003F1A73
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0041CAE7 FindFirstFileW,FindNextFileW,FindClose,	1_2_0041CAE7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	1_2_0040BCB3
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0041DE7C FindFirstFileW,FindClose,	1_2_0041DE7C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040BF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_0040BF17

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003CE700 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: file.exe, 00000001.00000002.3095650650.0000000001894000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:

Source: C:\Users\user\Desktop\file.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0041A35D BlockInput,

1_2_0041A35D

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003CD7A0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003CEE30 LoadLibraryA,GetProcAddress,

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003E37FA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

1_2_003E37FA

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003DA128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_003DA128
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003DF170 SetUnhandledExceptionFilter,	1_2_003DF170
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003D7CCD _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_003D7CCD

Contains functionality to execute programs as a different user

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003F6C61 LogonUserW,

1_2_003F6C61

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\file.exe

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003F43FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,

1_2_003F43FF

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003F3321 __wcsicoll,mouse_event,__wcsicoll,mouse_event,

1_2_003F3321

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0040602A GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

1_2_0040602A

Source: file.exe	Binary or memory string: IDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: file.exe, 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmp, file.exe, 00000001.00000000.1843414149.0000000000442000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: I@ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00432095 _memset,_memset,GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,

1_2_00432095

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00432BF9 GetUserNameW,

1_2_00432BF9

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003DE284 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

1_2_003DE284

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003CE700 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,

OS version to string mapping found (often used in BOTs)

Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte!
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Searches for user specific document files

Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL			Jump to behavior

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0042C06C OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	1_2_0042C06C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004365D3 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	1_2_004365D3
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00424EFB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	1_2_00424EFB

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 55%

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Contains functionality for read data from the clipboard

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00412408 FindFirstFileW,Sleep,FindNextFileW,FindClose,	1_2_00412408
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00438877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_00438877
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0040280D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003F399B GetFileAttributesW,FindFirstFileW,FindClose,	1_2_003F399B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003F1A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_003F1A73
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0041CAE7 FindFirstFileW,FindNextFileW,FindClose,	1_2_0041CAE7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	1_2_0040BCB3
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0041DE7C FindFirstFileW,FindClose,	1_2_0041DE7C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040BF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_0040BF17

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00402285 InternetQueryDataAvailable,InternetReadFile,

1_2_00402285

Source: file.exe	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: file.exe	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: file.exe	String found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
Source: file.exe	String found in binary or memory: http://crl.globalsign.net/primobject.crl0N
Source: file.exe	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: file.exe	String found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
Source: file.exe	String found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
Source: file.exe	String found in binary or memory: http://www.autoitscript.com/autoit3/0
Source: file.exe	String found in binary or memory: http://www.globalsign.net/repository/0
Source: file.exe	String found in binary or memory: http://www.globalsign.net/repository/03
Source: file.exe	String found in binary or memory: http://www.globalsign.net/repository09

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0041A0FC OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0041A0FC OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0042D8E9 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,

1_2_0042D8E9

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_004042E1 GetParent,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,PostMessageW,PostMessageW,

1_2_004042E1

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\file.exe

1_2_0043C7D6

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003F1BD5: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

1_2_003F1BD5

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\file.exe

1_2_00406219

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\file.exe

1_2_003F33A3

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003DA137	1_2_003DA137
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003D2136	1_2_003D2136
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003E427D	1_2_003E427D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040F3A6	1_2_0040F3A6
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040655F	1_2_0040655F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003D2508	1_2_003D2508
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003C35F0	1_2_003C35F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003C98F0	1_2_003C98F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003CF730	1_2_003CF730
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003D3721	1_2_003D3721
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003E088F	1_2_003E088F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003C98F0	1_2_003C98F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003D28F0	1_2_003D28F0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003DC8CE	1_2_003DC8CE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003D1903	1_2_003D1903
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0043EA2B	1_2_0043EA2B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040EACF	1_2_0040EACF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003E3BA1	1_2_003E3BA1
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00402D2D	1_2_00402D2D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003D1D98	1_2_003D1D98
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003E0DE0	1_2_003E0DE0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040CE8D	1_2_0040CE8D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00404EB7	1_2_00404EB7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003E1F2C	1_2_003E1F2C

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 003D14F7 appears 36 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004059E6 appears 65 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 003D6B90 appears 39 times

Sample file is different than original file name gathered from version info

Source: file.exe, 00000001.00000000.1843449360.000000000046B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewritelJ vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamewritelJ vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal52.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0040AEE3 GetLastError,FormatMessageW,

1_2_0040AEE3

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003F33A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		1_2_003F33A3
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00424AEB OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,		1_2_00424AEB

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0041D606 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,

1_2_0041D606

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0043557E CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,

1_2_0043557E

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0042E0F6 CoInitialize,CoCreateInstance,CoUninitialize,

1_2_0042E0F6

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003F3044 __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

1_2_003F3044

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: file.exe

ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: assignedaccessruntime.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: structuredquery.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.search.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: networkexplorer.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{725F645B-EAED-4fc5-B1C5-D9AD0ACCBA5E}\InProcServer32

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\MsftEdit.dll

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Window detected: Number of UI elements: 13

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003CEE30 LoadLibraryA,GetProcAddress,

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004221AF push edi; ret	1_2_004221B1
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003ED53C push 74003ECFh; iretd	1_2_003ED541
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003D6BD5 push ecx; ret	1_2_003D6BE8

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0043A2EA IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		1_2_0043A2EA
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003F43FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,		1_2_003F43FF

Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\file.exe

Window / User API: foregroundWindowGot 704

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\file.exe

API coverage: 1.1 %

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00412408 FindFirstFileW,Sleep,FindNextFileW,FindClose,	1_2_00412408
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00438877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_00438877
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0040280D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003F399B GetFileAttributesW,FindFirstFileW,FindClose,	1_2_003F399B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003F1A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_003F1A73
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0041CAE7 FindFirstFileW,FindNextFileW,FindClose,	1_2_0041CAE7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	1_2_0040BCB3
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0041DE7C FindFirstFileW,FindClose,	1_2_0041DE7C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040BF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_0040BF17

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003CE700 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: file.exe, 00000001.00000002.3095650650.0000000001894000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\file.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0041A35D BlockInput,

1_2_0041A35D

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003CEE30 LoadLibraryA,GetProcAddress,

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

1_2_003E37FA

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003DA128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_003DA128
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003DF170 SetUnhandledExceptionFilter,	1_2_003DF170
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_003D7CCD _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_003D7CCD

Contains functionality to execute programs as a different user

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003F6C61 LogonUserW,

1_2_003F6C61

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\file.exe

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\file.exe

1_2_003F43FF

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003F3321 __wcsicoll,mouse_event,__wcsicoll,mouse_event,

1_2_003F3321

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_0040602A GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

1_2_0040602A

Source: file.exe	Binary or memory string: IDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: file.exe, 00000001.00000002.3095443639.0000000000442000.00000002.00000001.01000000.00000003.sdmp, file.exe, 00000001.00000000.1843414149.0000000000442000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: I@ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -

Source: C:\Users\user\Desktop\file.exe

1_2_00432095

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00432BF9 GetUserNameW,

1_2_00432BF9

Source: C:\Users\user\Desktop\file.exe

1_2_003DE284

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_003CE700 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,