Click to jump to signature section
Source: file.exe | ReversingLabs: Detection: 39% |
Source: file.exe | Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: | Binary string: ::7S|P2f=bV|J/w}hut^fES.*^,5*.pDbZqxtLx,@oI#,oSyY?9L,MTlL,t{sZ;]uEjQYb^_EXYsoP0E2&vu*4rDj7_=ngHNnvUo4hJ|q5-&FdF3_{GXCN00LYQ2Jgj source: file.exe, 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmp |
Source: | Binary string: ^ ::f,1PlmFP@IbV6W!op_/}E29-=ePRdnsqxb}Y@*}s!;R=6qc0fQtlFmew}NL2@?L~Mi.J9WHp9(cH[D08]PJfal}WdgK~?a{Wg+bGyoUnEOOgkasdJf6@hc~}wtL[Y ::7S|P2f=bV|J/w}hut^fES.*^,5*.pDbZqxtLx,@oI#,oSyY?9L,MTlL,t{sZ;]uEjQYb^_EXYsoP0E2&vu*4rDj7_=ngHNnvUo4hJ|q5-&FdF3_{GXCN00LYQ2Jgj source: file.exe |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00475E20 _wcschr,_wcschr,_wcschr,_wcsncpy,_wcschr,FindClose,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose, | 0_2_00475E20 |
Source: file.exe, file.exe, 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmp | String found in binary or memory: https://autohotkey.com |
Source: file.exe, 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmp | String found in binary or memory: https://autohotkey.comCould |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00408E80 SetWindowsHookExW 0000000D,Function_000047F0,00400000,00000000 | 0_2_00408E80 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00404330 EmptyClipboard,GlobalUnlock,CloseClipboard,GlobalUnlock,GlobalUnlock,GlobalFree,GlobalUnlock,CloseClipboard,SetClipboardData,GlobalUnlock,CloseClipboard, | 0_2_00404330 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00404500 GetClipboardFormatNameW,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,GetClipboardData, | 0_2_00404500 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0040E17A GetKeyboardLayout,GetTickCount,GetCurrentThreadId,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,GetModuleHandleW,GetProcAddress,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId, | 0_2_0040E17A |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0040E019 __wcsnicmp,GetWindowThreadProcessId,AttachThreadInput,GetKeyboardLayout,GetModuleHandleW,GetProcAddress,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,__wcsnicmp,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId, | 0_2_0040E019 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0040E0AE GetWindowThreadProcessId,AttachThreadInput,GetKeyboardLayout,GetModuleHandleW,GetProcAddress,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId, | 0_2_0040E0AE |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0040E17A GetKeyboardLayout,GetTickCount,GetCurrentThreadId,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,GetModuleHandleW,GetProcAddress,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId, | 0_2_0040E17A |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0040E2BF GetModuleHandleW,GetProcAddress,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId, | 0_2_0040E2BF |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0040E68A _free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId, | 0_2_0040E68A |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0040E6B0 _free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId, | 0_2_0040E6B0 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0040E701 __wcsnicmp,__wcsnicmp,__wcsicoll,PostMessageW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__wcsnicmp,__wcsnicmp,__fassign,PostMessageW,PostMessageW,PostMessageW,__itow,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetWindowThreadProcessId, | 0_2_0040E701 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_004117F0 GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetKeyState, | 0_2_004117F0 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00417101 | 0_2_00417101 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0040C1B0 | 0_2_0040C1B0 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0041EAA0 | 0_2_0041EAA0 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0048CBF0 | 0_2_0048CBF0 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0040BB90 | 0_2_0040BB90 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00413421 | 0_2_00413421 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00413420 | 0_2_00413420 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0041F510 | 0_2_0041F510 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00482F60 | 0_2_00482F60 |
Source: C:\Users\user\Desktop\file.exe | Code function: String function: 0042ECE0 appears 82 times | |
Source: C:\Users\user\Desktop\file.exe | Code function: String function: 0048E559 appears 82 times | |
Source: file.exe | Static PE information: Resource name: RT_RCDATA type: COM executable for DOS |
Source: file.exe, 00000000.00000000.1698591836.000000000064E000.00000008.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilenameLicenseSwitcher" vs file.exe |
Source: file.exe, 00000000.00000002.2953895486.000000000064E000.00000004.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilenameLicenseSwitcher" vs file.exe |
Source: file.exe | Binary or memory string: OriginalFilenameLicenseSwitcher" vs file.exe |
Source: file.exe | Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: classification engine | Classification label: mal76.spyw.evad.winEXE@6/3@0/0 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0042F8D0 __wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,_memset,CreateProcessW,CloseHandle,CloseHandle,GetLastError,_memset,__wcsicoll,_wcschr,SetCurrentDirectoryW,_wcschr,_wcschr,GetFileAttributesW,_wcschr,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetLastError,FormatMessageW, | 0_2_0042F8D0 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00476DC0 SystemParametersInfoW,LoadLibraryExW,EnumResourceNamesW,FindResourceW,LoadResource,LockResource,GetSystemMetrics,FindResourceW,LoadResource,LockResource,SizeofResource,CreateIconFromResourceEx,FreeLibrary,ExtractIconW,ExtractIconW, | 0_2_00476DC0 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03 |
Source: C:\Users\user\Desktop\file.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\sysnative\cmd.exe /c (cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs)>>C:\Users\user\AppData\Local\Temp\kms.log |
Source: file.exe | ReversingLabs: Detection: 39% |
Source: unknown | Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" | |
Source: C:\Users\user\Desktop\file.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\sysnative\cmd.exe /c (cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs)>>C:\Users\user\AppData\Local\Temp\kms.log | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\cscript.exe cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs | |
Source: C:\Users\user\Desktop\file.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\sysnative\cmd.exe /c (cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs)>>C:\Users\user\AppData\Local\Temp\kms.log | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\cscript.exe cscript.exe /nologo C:\Users\user\AppData\Local\Temp\PID8.vbs | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: winmm.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: wsock32.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: textshaping.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: wbemcomn.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: amsi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: sxs.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: textinputframework.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: coreuicomponents.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: coremessaging.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: ntmarta.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: coremessaging.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Windows\System32\cscript.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Windows\System32\cscript.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\System32\cscript.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Windows\System32\cscript.exe | Section loaded: sxs.dll | Jump to behavior |
Source: C:\Windows\System32\cscript.exe | Section loaded: vbscript.dll | Jump to behavior |
Source: C:\Windows\System32\cscript.exe | Section loaded: amsi.dll | Jump to behavior |
Source: C:\Windows\System32\cscript.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Windows\System32\cscript.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Windows\System32\cscript.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Windows\System32\cscript.exe | Section loaded: msasn1.dll | Jump to behavior |
Source: C:\Windows\System32\cscript.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Windows\System32\cscript.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Windows\System32\cscript.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Windows\System32\cscript.exe | Section loaded: msisip.dll | Jump to behavior |
Source: C:\Windows\System32\cscript.exe | Section loaded: wshext.dll | Jump to behavior |
Source: C:\Windows\System32\cscript.exe | Section loaded: scrobj.dll | Jump to behavior |
Source: C:\Windows\System32\cscript.exe | Section loaded: wbemcomn.dll | Jump to behavior |
Source: C:\Windows\System32\cscript.exe | Section loaded: mpr.dll | Jump to behavior |
Source: C:\Windows\System32\cscript.exe | Section loaded: scrrun.dll | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | Window detected: Number of UI elements: 52 |
Source: file.exe | Static file information: File size 1675264 > 1048576 |
Source: file.exe | Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x17de00 |
Source: | Binary string: ::7S|P2f=bV|J/w}hut^fES.*^,5*.pDbZqxtLx,@oI#,oSyY?9L,MTlL,t{sZ;]uEjQYb^_EXYsoP0E2&vu*4rDj7_=ngHNnvUo4hJ|q5-&FdF3_{GXCN00LYQ2Jgj source: file.exe, 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmp |
Source: | Binary string: ^ ::f,1PlmFP@IbV6W!op_/}E29-=ePRdnsqxb}Y@*}s!;R=6qc0fQtlFmew}NL2@?L~Mi.J9WHp9(cH[D08]PJfal}WdgK~?a{Wg+bGyoUnEOOgkasdJf6@hc~}wtL[Y ::7S|P2f=bV|J/w}hut^fES.*^,5*.pDbZqxtLx,@oI#,oSyY?9L,MTlL,t{sZ;]uEjQYb^_EXYsoP0E2&vu*4rDj7_=ngHNnvUo4hJ|q5-&FdF3_{GXCN00LYQ2Jgj source: file.exe |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0064DBE0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, | 0_2_0064DBE0 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0040707B push esp; ret | 0_2_0040707E |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0040708C push esp; ret | 0_2_0040708D |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00407112 push esp; ret | 0_2_00407113 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_004075FF push esp; ret | 0_2_00407602 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00406E51 push esp; ret | 0_2_00406E52 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0040760A push esp; ret | 0_2_00407611 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00406FCC pushad ; ret | 0_2_00406FCD |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00406FF6 push esp; ret | 0_2_00406FF7 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00492FF5 push ecx; ret | 0_2_00493008 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00406FB9 pushad ; ret | 0_2_00406FBA |
Source: initial sample | Static PE information: section name: UPX0 |
Source: initial sample | Static PE information: section name: UPX1 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00469130 SendMessageW,SendMessageW,SendMessageW,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,GetPropW,ShowWindow,GetUpdateRect,SendMessageW,GetWindowLongW,ShowWindow,KiUserCallbackDispatcher,GetWindowRect,PtInRect,PtInRect,PtInRect,SetFocus,SendMessageW,SendMessageW,ShowWindow,SetFocus,InvalidateRect,InvalidateRect,InvalidateRect,MapWindowPoints,InvalidateRect, | 0_2_00469130 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00478C60 GetWindowThreadProcessId,GetWindowThreadProcessId,GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,SetForegroundWindow,SetForegroundWindow,GetForegroundWindow,GetWindow,AttachThreadInput,AttachThreadInput,KiUserCallbackDispatcher, | 0_2_00478C60 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00476360 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen, | 0_2_00476360 |
Source: C:\Users\user\Desktop\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\cscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\cscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\file.exe | WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_NetworkAdapter WHERE NetEnabled=True and PhysicalAdapter=True and PNPDeviceID LIKE '%PCI%' |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_004127C0 GetKeyboardLayout followed by cmp: cmp al, 19h and CTI: ja 004128AFh country: Russian (ru) | 0_2_004127C0 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00475E20 _wcschr,_wcschr,_wcschr,_wcsncpy,_wcschr,FindClose,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose, | 0_2_00475E20 |
Source: file.exe | Binary or memory string: |HZO9xC-vW ::E5osG1?2Jaq3AWUR)5HYuC*PLa+pZFUh#WRkYD)C[/0..q[lX0ia.?sNRAA]Y;,^2f*.!&O?YXp+B{OLCwGe+JP)HirsbXJeC.3~b=l[m#mHlLVYN@nncxx;m8/eO ::TFoeT!YMvmud6qEmUv*4N+lCvy6yK#+0d)yhX2hP.0=GLvVAw^fA.qSfuX}R-3Z9t)r(L=xK5yV8tUj(NF4gMjXPdrSKu4Ge?assC)&{d2oqm2;oK#REF |
Source: file.exe, 00000000.00000002.2952166293.00000000004E9000.00000040.00000001.01000000.00000003.sdmp | Binary or memory string: ::TFoeT!YMvmud6qEmUv*4N+lCvy6yK#+0d)yhX2hP.0=GLvVAw^fA.qSfuX}R-3Z9t)r(L=xK5yV8tUj(NF4gMjXPdrSKu4Ge?assC)&{d2oqm2;oK#REFXaBRftgY |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00492505 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 0_2_00492505 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0064DBE0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, | 0_2_0064DBE0 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00492505 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 0_2_00492505 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_00494EE6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 0_2_00494EE6 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0042F8D0 __wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,_memset,CreateProcessW,CloseHandle,CloseHandle,GetLastError,_memset,__wcsicoll,_wcschr,SetCurrentDirectoryW,_wcschr,_wcschr,GetFileAttributesW,_wcschr,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetLastError,FormatMessageW, | 0_2_0042F8D0 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_0040FA50 GetKeyState,GetCurrentThreadId,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,GetModuleHandleW,GetProcAddress,GetForegroundWindow,GetAsyncKeyState,keybd_event,keybd_event,GetAsyncKeyState,keybd_event,GetAsyncKeyState,GetModuleHandleW,GetProcAddress, | 0_2_0040FA50 |
Source: C:\Users\user\Desktop\file.exe | Code function: 0_2_004109A0 GetAsyncKeyState,GetSystemMetrics,GetSystemMetrics,GetCursorPos,WindowFromPoint,GetWindowThreadProcessId,SendMessageW,mouse_event,mouse_event, | 0_2_004109A0 |
Source: file.exe | Binary or memory string: Program Manager |
Source: file.exe | Binary or memory string: Shell_TrayWnd |
Source: file.exe, 00000000.00000002.2952166293.00000000004A0000.00000040.00000001.01000000.00000003.sdmp | Binary or memory string: regk-hookm-hook2-hooksjoypollPART%i-%i(no)%s%s%s%s%s%s{Raw}{Text}%s%cHotstring max abbreviation length is 40.EndCharsMouseResetResetParameter #1 invalid.Parameter #2 invalid.Parameter #3 invalid.Parameter #2 must not be blank in this case.Hotstring not found.TextLEFTLRIGHTRMIDDLEMX1X2WUWDWLWRSendInputuser32{Blind}{ClickLl{}^+!#{}RawTempASC U+ ,LWin RWin LShift RShift LCtrl RCtrl LAlt RAlt SYSTEM\CurrentControlSet\Control\Keyboard Layouts\Layout FileKbdLayerDescriptorsc%03Xvk%02XSCALTDOWNALTUPSHIFTDOWNSHIFTUPCTRLDOWNCONTROLDOWNCTRLUPCONTROLUPLWINDOWNLWINUPRWINDOWNRWINUPRtlGetVersionntdll.dll%u.%u.%uStdOutAllClassOverwriteUseEnvLocalSameAsGlobalUseUnsetGlobalUseUnsetLocalYYYYYWeekYearYDayWorkingDirWinDirWinDelayWDayUserNameTitleMatchModeSpeedTitleMatchModeTimeSinceThisHotkeyTimeSincePriorHotkeyTimeIdlePhysicalTimeIdleMouseTimeIdleKeyboardTimeIdleTickCountThisMenuItemPosThisMenuItemThisMenuThisLabelThisHotkeyThisFuncStoreCapslockModeStartupCommonStartupStartMenuCommonStartMenuSecScriptNameScriptHwndScriptFullPathScriptDirScreenWidthScreenHeightScreenDPIRegViewPtrSizeProgramsCommonProgramsPriorKeyPriorHotkeyOSVersionOSTypeNumBatchLinesNowUTCNowMyDocumentsMSecMouseDelayPlayMouseDelayMonMMMMMMMMMMinMDayLoopRegTypeLoopRegTimeModifiedLoopRegSubKeyLoopRegNameLoopRegKeyLoopReadLineLoopFileTimeModifiedLoopFileTimeCreatedLoopFileTimeAccessedLoopFileSizeMBLoopFileSizeKBLoopFileSizeLoopFileShortPathLoopFileShortNameLoopFilePathLoopFileNameLoopFileLongPathLoopFileFullPathLoopFileExtLoopFileDirLoopFileAttribLoopFieldLineNumberLineFileLastErrorLanguageKeyDurationPlayKeyDurationKeyDelayPlayKeyDelayIsUnicodeIsSuspendedIsPausedIsCriticalIsCompiledIsAdminIs64bitOSIPAddress4IPAddress3IPAddress2IPAddress1IndexIconTipIconNumberIconHiddenIconFileHourGuiYGuiXGuiWidthGuiHeightGuiEventGuiControlEventFormatIntegerFormatFloatExitReasonEventInfoEndCharDesktopCommonDesktopDefaultTreeViewDefaultMouseSpeedDefaultListViewDefaultGuiDDDDDDDDDCursorCoordModeToolTipCoordModePixelCoordModeMouseCoordModeMenuCoordModeCaretControlDelayComputerNameCaretYCaretXBatchLinesAppDataCommonAppDataAhkVersionAhkPathTrueProgramFilesFalseComSpecClipboardAll...%s[%Iu of %Iu]: %-1.60s%sPropertyRegExMatch\:\:HKLMHKEY_LOCAL_MACHINEHKCRHKEY_CLASSES_ROOTHKCCHKEY_CURRENT_CONFIGHKCUHKEY_CURRENT_USERHKUHKEY_USERSREG_SZREG_EXPAND_SZREG_MULTI_SZREG_DWORDREG_BINARYDefault3264LineRegExFASTSLOWAscChrDerefHTMLModPowExpSqrtLogLnRoundCeilFloorAbsSinCosTanASinACosATanBitAndBitOrBitXOrBitNotBitShiftL |