Windows Analysis Report file.exe

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: ::7S\|P2f=bV\|J/w}hut^fES.^,5.pDbZqxtLx,@oI#,oSyY?9L,MTlL,t{sZ;]uEjQYb^_EXYsoP0E2&vu*4rDj7_=ngHNnvUo4hJ\|q5-&FdF3_{GXCN00LYQ2Jgj source: file.exe, 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: ^ ::f,1PlmFP@IbV6W!op_/}E29-=ePRdnsqxb}Y@}s!;R=6qc0fQtlFmew}NL2@?L~Mi.J9WHp9(cH[D08]PJfal}WdgK~?a{Wg+bGyoUnEOOgkasdJf6@hc~}wtL[Y ::7S\|P2f=bV\|J/w}hut^fES.^,5.pDbZqxtLx,@oI#,oSyY?9L,MTlL,t{sZ;]uEjQYb^_EXYsoP0E2&vu4rDj7_=ngHNnvUo4hJ\|q5-&FdF3_{GXCN00LYQ2Jgj source: file.exe

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00475E20 _wcschr,_wcschr,_wcschr,_wcsncpy,_wcschr,FindClose,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,

Contains functionality to register a low level keyboard hook

Source: file.exe, file.exe, 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://autohotkey.com
Source: file.exe, 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://autohotkey.comCould

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00408E80 SetWindowsHookExW 0000000D,Function_000047F0,00400000,00000000

0_2_00408E80

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00404330 EmptyClipboard,GlobalUnlock,CloseClipboard,GlobalUnlock,GlobalUnlock,GlobalFree,GlobalUnlock,CloseClipboard,SetClipboardData,GlobalUnlock,CloseClipboard,

0_2_00404330

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00404500 GetClipboardFormatNameW,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,GetClipboardData,

0_2_00404500

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040E17A GetKeyboardLayout,GetTickCount,GetCurrentThreadId,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,GetModuleHandleW,GetProcAddress,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId,

0_2_0040E17A

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E019 __wcsnicmp,GetWindowThreadProcessId,AttachThreadInput,GetKeyboardLayout,GetModuleHandleW,GetProcAddress,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,__wcsnicmp,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId,	0_2_0040E019
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E0AE GetWindowThreadProcessId,AttachThreadInput,GetKeyboardLayout,GetModuleHandleW,GetProcAddress,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId,	0_2_0040E0AE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E17A GetKeyboardLayout,GetTickCount,GetCurrentThreadId,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,GetModuleHandleW,GetProcAddress,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId,	0_2_0040E17A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E2BF GetModuleHandleW,GetProcAddress,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId,	0_2_0040E2BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E68A _free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId,	0_2_0040E68A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E6B0 _free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId,	0_2_0040E6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E701 __wcsnicmp,__wcsnicmp,__wcsicoll,PostMessageW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__wcsnicmp,__wcsnicmp,__fassign,PostMessageW,PostMessageW,PostMessageW,__itow,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId,	0_2_0040E701
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004117F0 GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetKeyState,	0_2_004117F0

System Summary

Sample or dropped binary is a compiled AutoHotkey binary

Source: C:\Users\user\Desktop\file.exe

Window found: window name: AutoHotkey

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00417101	0_2_00417101
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040C1B0	0_2_0040C1B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041EAA0	0_2_0041EAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0048CBF0	0_2_0048CBF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040BB90	0_2_0040BB90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00413421	0_2_00413421
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00413420	0_2_00413420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041F510	0_2_0041F510
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00482F60	0_2_00482F60

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0042ECE0 appears 82 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0048E559 appears 82 times

PE file contains executable resources (Code or Archives)

Source: file.exe

Static PE information: Resource name: RT_RCDATA type: COM executable for DOS

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000000.1698591836.000000000064E000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLicenseSwitcher" vs file.exe
Source: file.exe, 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLicenseSwitcher" vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameLicenseSwitcher" vs file.exe

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal76.spyw.evad.winEXE@6/3@0/0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0042F8D0 __wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,_memset,CreateProcessW,CloseHandle,CloseHandle,GetLastError,_memset,__wcsicoll,_wcschr,SetCurrentDirectoryW,_wcschr,_wcschr,GetFileAttributesW,_wcschr,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetLastError,FormatMessageW,

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00476DC0 SystemParametersInfoW,LoadLibraryExW,EnumResourceNamesW,FindResourceW,LoadResource,LockResource,GetSystemMetrics,FindResourceW,LoadResource,LockResource,SizeofResource,CreateIconFromResourceEx,FreeLibrary,ExtractIconW,ExtractIconW,

0_2_00476DC0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\Desktop\LIC_SWITCH.log

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\PID8.vbs

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\sysnative\cmd.exe /c (cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs)>>C:\Users\user\AppData\Local\Temp\kms.log

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: file.exe

ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\sysnative\cmd.exe /c (cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs)>>C:\Users\user\AppData\Local\Temp\kms.log
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\sysnative\cmd.exe /c (cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs)>>C:\Users\user\AppData\Local\Temp\kms.log	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: scrrun.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Source: C:\Users\user\Desktop\file.exe

Window found: window name: SysTabControl32

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Window detected: Number of UI elements: 52

Source: file.exe

Static file information: File size 1675264 > 1048576

Source: file.exe

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x17de00

Source:	Binary string: ::7S\|P2f=bV\|J/w}hut^fES.^,5.pDbZqxtLx,@oI#,oSyY?9L,MTlL,t{sZ;]uEjQYb^_EXYsoP0E2&vu*4rDj7_=ngHNnvUo4hJ\|q5-&FdF3_{GXCN00LYQ2Jgj source: file.exe, 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: ^ ::f,1PlmFP@IbV6W!op_/}E29-=ePRdnsqxb}Y@}s!;R=6qc0fQtlFmew}NL2@?L~Mi.J9WHp9(cH[D08]PJfal}WdgK~?a{Wg+bGyoUnEOOgkasdJf6@hc~}wtL[Y ::7S\|P2f=bV\|J/w}hut^fES.^,5.pDbZqxtLx,@oI#,oSyY?9L,MTlL,t{sZ;]uEjQYb^_EXYsoP0E2&vu4rDj7_=ngHNnvUo4hJ\|q5-&FdF3_{GXCN00LYQ2Jgj source: file.exe

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0064DBE0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040707B push esp; ret	0_2_0040707E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040708C push esp; ret	0_2_0040708D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407112 push esp; ret	0_2_00407113
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004075FF push esp; ret	0_2_00407602
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406E51 push esp; ret	0_2_00406E52
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040760A push esp; ret	0_2_00407611
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406FCC pushad ; ret	0_2_00406FCD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406FF6 push esp; ret	0_2_00406FF7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00492FF5 push ecx; ret	0_2_00493008
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406FB9 pushad ; ret	0_2_00406FBA

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00469130 SendMessageW,SendMessageW,SendMessageW,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,GetPropW,ShowWindow,GetUpdateRect,SendMessageW,GetWindowLongW,ShowWindow,KiUserCallbackDispatcher,GetWindowRect,PtInRect,PtInRect,PtInRect,SetFocus,SendMessageW,SendMessageW,ShowWindow,SetFocus,InvalidateRect,InvalidateRect,InvalidateRect,MapWindowPoints,InvalidateRect,	0_2_00469130
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00478C60 GetWindowThreadProcessId,GetWindowThreadProcessId,GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,SetForegroundWindow,SetForegroundWindow,GetForegroundWindow,GetWindow,AttachThreadInput,AttachThreadInput,KiUserCallbackDispatcher,	0_2_00478C60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476360 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,	0_2_00476360

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_NetworkAdapter WHERE NetEnabled=True and PhysicalAdapter=True and PNPDeviceID LIKE '%PCI%'

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\file.exe

Window / User API: foregroundWindowGot 1004

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004127C0 GetKeyboardLayout followed by cmp: cmp al, 19h and CTI: ja 004128AFh country: Russian (ru)

0_2_004127C0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00475E20 _wcschr,_wcschr,_wcschr,_wcsncpy,_wcschr,FindClose,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: file.exe	Binary or memory string: \|HZO9xC-vW ::E5osG1?2Jaq3AWUR)5HYuCPLa+pZFUh#WRkYD)C[/0..q[lX0ia.?sNRAA]Y;,^2f.!&O?YXp+B{OLCwGe+JP)HirsbXJeC.3~b=l[m#mHlLVYN@nncxx;m8/eO ::TFoeT!YMvmud6qEmUv*4N+lCvy6yK#+0d)yhX2hP.0=GLvVAw^fA.qSfuX}R-3Z9t)r(L=xK5yV8tUj(NF4gMjXPdrSKu4Ge?assC)&{d2oqm2;oK#REF
Source: file.exe, 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ::TFoeT!YMvmud6qEmUv*4N+lCvy6yK#+0d)yhX2hP.0=GLvVAw^fA.qSfuX}R-3Z9t)r(L=xK5yV8tUj(NF4gMjXPdrSKu4Ge?assC)&{d2oqm2;oK#REFXaBRftgY

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00492505 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00492505

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0064DBE0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00492505 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00492505
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00494EE6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00494EE6

Source: C:\Users\user\Desktop\file.exe

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040FA50 GetKeyState,GetCurrentThreadId,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetAsyncKeyState,keybd_event,keybd_event,GetAsyncKeyState,keybd_event,GetAsyncKeyState,GetModuleHandleW,GetProcAddress,

0_2_0040FA50

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004109A0 GetAsyncKeyState,GetSystemMetrics,GetSystemMetrics,GetCursorPos,WindowFromPoint,GetWindowThreadProcessId,SendMessageW,mouse_event,mouse_event,

0_2_004109A0

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\cscript.exe cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs

Queries the product ID of Windows

Source: file.exe	Binary or memory string: Program Manager
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: file.exe, 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: regk-hookm-hook2-hooksjoypollPART%i-%i(no)%s%s%s%s%s%s{Raw}{Text}%s%cHotstring max abbreviation length is 40.EndCharsMouseResetResetParameter #1 invalid.Parameter #2 invalid.Parameter #3 invalid.Parameter #2 must not be blank in this case.Hotstring not found.TextLEFTLRIGHTRMIDDLEMX1X2WUWDWLWRSendInputuser32{Blind}{ClickLl{}^+!#{}RawTempASC U+ ,LWin RWin LShift RShift LCtrl RCtrl LAlt RAlt SYSTEM\CurrentControlSet\Control\Keyboard Layouts\Layout FileKbdLayerDescriptorsc%03Xvk%02XSCALTDOWNALTUPSHIFTDOWNSHIFTUPCTRLDOWNCONTROLDOWNCTRLUPCONTROLUPLWINDOWNLWINUPRWINDOWNRWINUPRtlGetVersionntdll.dll%u.%u.%uStdOutAllClassOverwriteUseEnvLocalSameAsGlobalUseUnsetGlobalUseUnsetLocalYYYYYWeekYearYDayWorkingDirWinDirWinDelayWDayUserNameTitleMatchModeSpeedTitleMatchModeTimeSinceThisHotkeyTimeSincePriorHotkeyTimeIdlePhysicalTimeIdleMouseTimeIdleKeyboardTimeIdleTickCountThisMenuItemPosThisMenuItemThisMenuThisLabelThisHotkeyThisFuncStoreCapslockModeStartupCommonStartupStartMenuCommonStartMenuSecScriptNameScriptHwndScriptFullPathScriptDirScreenWidthScreenHeightScreenDPIRegViewPtrSizeProgramsCommonProgramsPriorKeyPriorHotkeyOSVersionOSTypeNumBatchLinesNowUTCNowMyDocumentsMSecMouseDelayPlayMouseDelayMonMMMMMMMMMMinMDayLoopRegTypeLoopRegTimeModifiedLoopRegSubKeyLoopRegNameLoopRegKeyLoopReadLineLoopFileTimeModifiedLoopFileTimeCreatedLoopFileTimeAccessedLoopFileSizeMBLoopFileSizeKBLoopFileSizeLoopFileShortPathLoopFileShortNameLoopFilePathLoopFileNameLoopFileLongPathLoopFileFullPathLoopFileExtLoopFileDirLoopFileAttribLoopFieldLineNumberLineFileLastErrorLanguageKeyDurationPlayKeyDurationKeyDelayPlayKeyDelayIsUnicodeIsSuspendedIsPausedIsCriticalIsCompiledIsAdminIs64bitOSIPAddress4IPAddress3IPAddress2IPAddress1IndexIconTipIconNumberIconHiddenIconFileHourGuiYGuiXGuiWidthGuiHeightGuiEventGuiControlEventFormatIntegerFormatFloatExitReasonEventInfoEndCharDesktopCommonDesktopDefaultTreeViewDefaultMouseSpeedDefaultListViewDefaultGuiDDDDDDDDDCursorCoordModeToolTipCoordModePixelCoordModeMouseCoordModeMenuCoordModeCaretControlDelayComputerNameCaretYCaretXBatchLinesAppDataCommonAppDataAhkVersionAhkPathTrueProgramFilesFalseComSpecClipboardAll...%s[%Iu of %Iu]: %-1.60s%sPropertyRegExMatch\:\:HKLMHKEY_LOCAL_MACHINEHKCRHKEY_CLASSES_ROOTHKCCHKEY_CURRENT_CONFIGHKCUHKEY_CURRENT_USERHKUHKEY_USERSREG_SZREG_EXPAND_SZREG_MULTI_SZREG_DWORDREG_BINARYDefault3264LineRegExFASTSLOWAscChrDerefHTMLModPowExpSqrtLogLnRoundCeilFloorAbsSinCosTanASinACosATanBitAndBitOrBitXOrBitNotBitShiftLeftBitShiftRightAddDestroyNamePriorityInterruptNoTimersLabelTypeONLocalePermitMouseSendAndMouseMouseMoveOffPlayEventThenEventThenPlayYESNOOKCANCELABORTIGNORERETRYCONTINUETRYAGAINTimeoutMINMAXHIDEScreenRelativeWindowClientPixelCaretIntegerFloatNumberTimeDateDigitXdigitAlnumAlphaUpperLowerUTF-8UTF-8-RAWUTF-16UTF-16-RAWCPFuncRemoveClipboardFormatListenerAddClipboardFormatListenerTrayNo tray memstatus AHK_PlayMe modeclose AHK_PlayMe%s\%sRegClassAutoHotkey2Shell_TrayWndCreateWindoweditLucida ConsoleConsolasCritical Error: %s
Source: file.exe, 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowahk_idpidgroup%s%uProgram ManagerError text not found (please report)Q\E{0,DEFINEUTF16)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument is compiled in 8 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory

Source: C:\Windows\System32\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00416D74 SetCurrentDirectoryW,GetSystemTimeAsFileTime,

0_2_00416D74

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004135CE RtlGetVersion,__snwprintf,

0_2_004135CE

Source: C:\Windows\System32\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

OS version to string mapping found (often used in BOTs)

Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe, 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ?A Goto/Gosub must not jump into a block that doesn't enclose it.ddddddd%02d%dmsSlowLogoffSingle1.1.28.02\AutoHotkey.exeWIN32_NTWIN_XPWIN_7WIN_8.1WIN_8WIN_VISTAWIN_2003WIN_2000%04hXcomspecGetCursorInfo0x%IxpPIntStrPtrShortCharInt64DoubleAStrWStrgdi32comctl32W-3-4CDecl-2This DllCall requires a prior VarSetCapacity. The program is now unstable and will exit.Pos%sLen%sPos%dLen%dLenMarkpcre_calloutCompile error %d at offset %d: %hs-+0 #diouxXeEfgGaAcCpULlTt%0.*fCcFfSelectVisCenterUniDescCaseLogicalNoSortAutoHdrFirstBoldExpandGDI+JoyJoyXJoyYJoyZJoyRJoyUJoyVJoyPOVJoyNameJoyButtonsJoyAxesJoyInfoGetProcessImageFileNameWpsapi0
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8
Source: file.exe	Binary or memory string: WIN_8.1

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00415BC0 Shell_NotifyIconW,DeleteObject,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DestroyCursor,DeleteObject,DestroyCursor,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyCursor,DestroyCursor,IsWindow,DestroyWindow,DeleteObject,RemoveClipboardFormatListener,ChangeClipboardChain,mciSendStringW,mciSendStringW,mciSendStringW,RtlDeleteCriticalSection,OleUninitialize,_free,_free,_free,		0_2_00415BC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00416460 AddClipboardFormatListener,PostMessageW,SetClipboardViewer,RemoveClipboardFormatListener,ChangeClipboardChain,		0_2_00416460

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 39%

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: ::7S\|P2f=bV\|J/w}hut^fES.^,5.pDbZqxtLx,@oI#,oSyY?9L,MTlL,t{sZ;]uEjQYb^_EXYsoP0E2&vu*4rDj7_=ngHNnvUo4hJ\|q5-&FdF3_{GXCN00LYQ2Jgj source: file.exe, 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: ^ ::f,1PlmFP@IbV6W!op_/}E29-=ePRdnsqxb}Y@}s!;R=6qc0fQtlFmew}NL2@?L~Mi.J9WHp9(cH[D08]PJfal}WdgK~?a{Wg+bGyoUnEOOgkasdJf6@hc~}wtL[Y ::7S\|P2f=bV\|J/w}hut^fES.^,5.pDbZqxtLx,@oI#,oSyY?9L,MTlL,t{sZ;]uEjQYb^_EXYsoP0E2&vu4rDj7_=ngHNnvUo4hJ\|q5-&FdF3_{GXCN00LYQ2Jgj source: file.exe

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00475E20 _wcschr,_wcschr,_wcschr,_wcsncpy,_wcschr,FindClose,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,

Contains functionality to register a low level keyboard hook

Source: file.exe, file.exe, 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://autohotkey.com
Source: file.exe, 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://autohotkey.comCould

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00408E80 SetWindowsHookExW 0000000D,Function_000047F0,00400000,00000000

0_2_00408E80

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00404330 EmptyClipboard,GlobalUnlock,CloseClipboard,GlobalUnlock,GlobalUnlock,GlobalFree,GlobalUnlock,CloseClipboard,SetClipboardData,GlobalUnlock,CloseClipboard,

0_2_00404330

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00404500 GetClipboardFormatNameW,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,GetClipboardData,

0_2_00404500

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\file.exe

0_2_0040E17A

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E019 __wcsnicmp,GetWindowThreadProcessId,AttachThreadInput,GetKeyboardLayout,GetModuleHandleW,GetProcAddress,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,__wcsnicmp,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId,	0_2_0040E019
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E0AE GetWindowThreadProcessId,AttachThreadInput,GetKeyboardLayout,GetModuleHandleW,GetProcAddress,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId,	0_2_0040E0AE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E17A GetKeyboardLayout,GetTickCount,GetCurrentThreadId,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,GetModuleHandleW,GetProcAddress,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId,	0_2_0040E17A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E2BF GetModuleHandleW,GetProcAddress,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId,	0_2_0040E2BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E68A _free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId,	0_2_0040E68A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E6B0 _free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId,	0_2_0040E6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E701 __wcsnicmp,__wcsnicmp,__wcsicoll,PostMessageW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__wcsnicmp,__wcsnicmp,__fassign,PostMessageW,PostMessageW,PostMessageW,__itow,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId,	0_2_0040E701
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004117F0 GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetKeyState,	0_2_004117F0

System Summary

Sample or dropped binary is a compiled AutoHotkey binary

Source: C:\Users\user\Desktop\file.exe

Window found: window name: AutoHotkey

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00417101	0_2_00417101
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040C1B0	0_2_0040C1B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041EAA0	0_2_0041EAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0048CBF0	0_2_0048CBF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040BB90	0_2_0040BB90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00413421	0_2_00413421
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00413420	0_2_00413420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041F510	0_2_0041F510
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00482F60	0_2_00482F60

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0042ECE0 appears 82 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0048E559 appears 82 times

PE file contains executable resources (Code or Archives)

Source: file.exe

Static PE information: Resource name: RT_RCDATA type: COM executable for DOS

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000000.1698591836.000000000064E000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLicenseSwitcher" vs file.exe
Source: file.exe, 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLicenseSwitcher" vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameLicenseSwitcher" vs file.exe

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal76.spyw.evad.winEXE@6/3@0/0

Source: C:\Users\user\Desktop\file.exe

Source: C:\Users\user\Desktop\file.exe

0_2_00476DC0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\Desktop\LIC_SWITCH.log

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\PID8.vbs

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\sysnative\cmd.exe /c (cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs)>>C:\Users\user\AppData\Local\Temp\kms.log

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: file.exe

ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\sysnative\cmd.exe /c (cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs)>>C:\Users\user\AppData\Local\Temp\kms.log
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\sysnative\cmd.exe /c (cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs)>>C:\Users\user\AppData\Local\Temp\kms.log	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: scrrun.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Source: C:\Users\user\Desktop\file.exe

Window found: window name: SysTabControl32

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Window detected: Number of UI elements: 52

Source: file.exe

Static file information: File size 1675264 > 1048576

Source: file.exe

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x17de00

Source:	Binary string: ::7S\|P2f=bV\|J/w}hut^fES.^,5.pDbZqxtLx,@oI#,oSyY?9L,MTlL,t{sZ;]uEjQYb^_EXYsoP0E2&vu*4rDj7_=ngHNnvUo4hJ\|q5-&FdF3_{GXCN00LYQ2Jgj source: file.exe, 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: ^ ::f,1PlmFP@IbV6W!op_/}E29-=ePRdnsqxb}Y@}s!;R=6qc0fQtlFmew}NL2@?L~Mi.J9WHp9(cH[D08]PJfal}WdgK~?a{Wg+bGyoUnEOOgkasdJf6@hc~}wtL[Y ::7S\|P2f=bV\|J/w}hut^fES.^,5.pDbZqxtLx,@oI#,oSyY?9L,MTlL,t{sZ;]uEjQYb^_EXYsoP0E2&vu4rDj7_=ngHNnvUo4hJ\|q5-&FdF3_{GXCN00LYQ2Jgj source: file.exe

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0064DBE0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040707B push esp; ret	0_2_0040707E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040708C push esp; ret	0_2_0040708D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407112 push esp; ret	0_2_00407113
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004075FF push esp; ret	0_2_00407602
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406E51 push esp; ret	0_2_00406E52
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040760A push esp; ret	0_2_00407611
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406FCC pushad ; ret	0_2_00406FCD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406FF6 push esp; ret	0_2_00406FF7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00492FF5 push ecx; ret	0_2_00493008
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406FB9 pushad ; ret	0_2_00406FBA

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00469130 SendMessageW,SendMessageW,SendMessageW,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,GetPropW,ShowWindow,GetUpdateRect,SendMessageW,GetWindowLongW,ShowWindow,KiUserCallbackDispatcher,GetWindowRect,PtInRect,PtInRect,PtInRect,SetFocus,SendMessageW,SendMessageW,ShowWindow,SetFocus,InvalidateRect,InvalidateRect,InvalidateRect,MapWindowPoints,InvalidateRect,	0_2_00469130
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00478C60 GetWindowThreadProcessId,GetWindowThreadProcessId,GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,SetForegroundWindow,SetForegroundWindow,GetForegroundWindow,GetWindow,AttachThreadInput,AttachThreadInput,KiUserCallbackDispatcher,	0_2_00478C60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476360 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,	0_2_00476360

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_NetworkAdapter WHERE NetEnabled=True and PhysicalAdapter=True and PNPDeviceID LIKE '%PCI%'

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\file.exe

Window / User API: foregroundWindowGot 1004

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004127C0 GetKeyboardLayout followed by cmp: cmp al, 19h and CTI: ja 004128AFh country: Russian (ru)

0_2_004127C0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00475E20 _wcschr,_wcschr,_wcschr,_wcsncpy,_wcschr,FindClose,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: file.exe	Binary or memory string: \|HZO9xC-vW ::E5osG1?2Jaq3AWUR)5HYuCPLa+pZFUh#WRkYD)C[/0..q[lX0ia.?sNRAA]Y;,^2f.!&O?YXp+B{OLCwGe+JP)HirsbXJeC.3~b=l[m#mHlLVYN@nncxx;m8/eO ::TFoeT!YMvmud6qEmUv*4N+lCvy6yK#+0d)yhX2hP.0=GLvVAw^fA.qSfuX}R-3Z9t)r(L=xK5yV8tUj(NF4gMjXPdrSKu4Ge?assC)&{d2oqm2;oK#REF
Source: file.exe, 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ::TFoeT!YMvmud6qEmUv*4N+lCvy6yK#+0d)yhX2hP.0=GLvVAw^fA.qSfuX}R-3Z9t)r(L=xK5yV8tUj(NF4gMjXPdrSKu4Ge?assC)&{d2oqm2;oK#REFXaBRftgY

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00492505 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00492505

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0064DBE0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00492505 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00492505
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00494EE6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00494EE6

Source: C:\Users\user\Desktop\file.exe

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\file.exe

0_2_0040FA50

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004109A0 GetAsyncKeyState,GetSystemMetrics,GetSystemMetrics,GetCursorPos,WindowFromPoint,GetWindowThreadProcessId,SendMessageW,mouse_event,mouse_event,

0_2_004109A0

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\cscript.exe cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs

Queries the product ID of Windows

Source: file.exe	Binary or memory string: Program Manager
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: file.exe, 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: regk-hookm-hook2-hooksjoypollPART%i-%i(no)%s%s%s%s%s%s{Raw}{Text}%s%cHotstring max abbreviation length is 40.EndCharsMouseResetResetParameter #1 invalid.Parameter #2 invalid.Parameter #3 invalid.Parameter #2 must not be blank in this case.Hotstring not found.TextLEFTLRIGHTRMIDDLEMX1X2WUWDWLWRSendInputuser32{Blind}{ClickLl{}^+!#{}RawTempASC U+ ,LWin RWin LShift RShift LCtrl RCtrl LAlt RAlt SYSTEM\CurrentControlSet\Control\Keyboard Layouts\Layout FileKbdLayerDescriptorsc%03Xvk%02XSCALTDOWNALTUPSHIFTDOWNSHIFTUPCTRLDOWNCONTROLDOWNCTRLUPCONTROLUPLWINDOWNLWINUPRWINDOWNRWINUPRtlGetVersionntdll.dll%u.%u.%uStdOutAllClassOverwriteUseEnvLocalSameAsGlobalUseUnsetGlobalUseUnsetLocalYYYYYWeekYearYDayWorkingDirWinDirWinDelayWDayUserNameTitleMatchModeSpeedTitleMatchModeTimeSinceThisHotkeyTimeSincePriorHotkeyTimeIdlePhysicalTimeIdleMouseTimeIdleKeyboardTimeIdleTickCountThisMenuItemPosThisMenuItemThisMenuThisLabelThisHotkeyThisFuncStoreCapslockModeStartupCommonStartupStartMenuCommonStartMenuSecScriptNameScriptHwndScriptFullPathScriptDirScreenWidthScreenHeightScreenDPIRegViewPtrSizeProgramsCommonProgramsPriorKeyPriorHotkeyOSVersionOSTypeNumBatchLinesNowUTCNowMyDocumentsMSecMouseDelayPlayMouseDelayMonMMMMMMMMMMinMDayLoopRegTypeLoopRegTimeModifiedLoopRegSubKeyLoopRegNameLoopRegKeyLoopReadLineLoopFileTimeModifiedLoopFileTimeCreatedLoopFileTimeAccessedLoopFileSizeMBLoopFileSizeKBLoopFileSizeLoopFileShortPathLoopFileShortNameLoopFilePathLoopFileNameLoopFileLongPathLoopFileFullPathLoopFileExtLoopFileDirLoopFileAttribLoopFieldLineNumberLineFileLastErrorLanguageKeyDurationPlayKeyDurationKeyDelayPlayKeyDelayIsUnicodeIsSuspendedIsPausedIsCriticalIsCompiledIsAdminIs64bitOSIPAddress4IPAddress3IPAddress2IPAddress1IndexIconTipIconNumberIconHiddenIconFileHourGuiYGuiXGuiWidthGuiHeightGuiEventGuiControlEventFormatIntegerFormatFloatExitReasonEventInfoEndCharDesktopCommonDesktopDefaultTreeViewDefaultMouseSpeedDefaultListViewDefaultGuiDDDDDDDDDCursorCoordModeToolTipCoordModePixelCoordModeMouseCoordModeMenuCoordModeCaretControlDelayComputerNameCaretYCaretXBatchLinesAppDataCommonAppDataAhkVersionAhkPathTrueProgramFilesFalseComSpecClipboardAll...%s[%Iu of %Iu]: %-1.60s%sPropertyRegExMatch\:\:HKLMHKEY_LOCAL_MACHINEHKCRHKEY_CLASSES_ROOTHKCCHKEY_CURRENT_CONFIGHKCUHKEY_CURRENT_USERHKUHKEY_USERSREG_SZREG_EXPAND_SZREG_MULTI_SZREG_DWORDREG_BINARYDefault3264LineRegExFASTSLOWAscChrDerefHTMLModPowExpSqrtLogLnRoundCeilFloorAbsSinCosTanASinACosATanBitAndBitOrBitXOrBitNotBitShiftLeftBitShiftRightAddDestroyNamePriorityInterruptNoTimersLabelTypeONLocalePermitMouseSendAndMouseMouseMoveOffPlayEventThenEventThenPlayYESNOOKCANCELABORTIGNORERETRYCONTINUETRYAGAINTimeoutMINMAXHIDEScreenRelativeWindowClientPixelCaretIntegerFloatNumberTimeDateDigitXdigitAlnumAlphaUpperLowerUTF-8UTF-8-RAWUTF-16UTF-16-RAWCPFuncRemoveClipboardFormatListenerAddClipboardFormatListenerTrayNo tray memstatus AHK_PlayMe modeclose AHK_PlayMe%s\%sRegClassAutoHotkey2Shell_TrayWndCreateWindoweditLucida ConsoleConsolasCritical Error: %s
Source: file.exe, 00000000.00000002.2952166293.00000000004B1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowahk_idpidgroup%s%uProgram ManagerError text not found (please report)Q\E{0,DEFINEUTF16)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument is compiled in 8 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory

Source: C:\Windows\System32\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00416D74 SetCurrentDirectoryW,GetSystemTimeAsFileTime,

0_2_00416D74

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004135CE RtlGetVersion,__snwprintf,

0_2_004135CE

Source: C:\Windows\System32\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid