Windows Analysis Report
ET7GnkzV1D.exe

Overview

General Information

Sample name: ET7GnkzV1D.exe
renamed because original name is a hash value
Original sample name: 293da2f09c7f7c04057130f8e7d78bd6.exe
Analysis ID: 1527492
MD5: 293da2f09c7f7c04057130f8e7d78bd6
SHA1: 8ae1886774ac2c474228175425e5811182770acc
SHA256: 0df444b6fafe38d90cbe0c01b4f91d3dacf8604fb8c799a0b9723b82643bdbf5
Tags: 32exe
Infos:

Detection

Score: 39
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found evaded block containing many API calls
Found potential string decryption / allocating functions
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: ET7GnkzV1D.exe ReversingLabs: Detection: 71%
Machine Learning detection for sample
Source: ET7GnkzV1D.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: ET7GnkzV1D.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: ET7GnkzV1D.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: ET7GnkzV1D.exe
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005DD420 SendDlgItemMessageW,GetDlgItem,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_005DD420
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005CBA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_005CBA94
Contains functionality to call native functions
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005DB090 SetWindowLongW,NtdllDefWindowProc_W, 0_2_005DB090
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005C7AAF: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, 0_2_005C7AAF
Detected potential crypto function
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005D5011 0_2_005D5011
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005D8253 0_2_005D8253
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005C92C6 0_2_005C92C6
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005D02F7 0_2_005D02F7
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005D5282 0_2_005D5282
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005E62A8 0_2_005E62A8
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005D13FD 0_2_005D13FD
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005D742E 0_2_005D742E
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005E64D7 0_2_005E64D7
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005D55B0 0_2_005D55B0
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005EE600 0_2_005EE600
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005D07A7 0_2_005D07A7
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005CD833 0_2_005CD833
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005D88AF 0_2_005D88AF
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005C395A 0_2_005C395A
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005C4A8E 0_2_005C4A8E
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005EEAAE 0_2_005EEAAE
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005F2BB4 0_2_005F2BB4
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005CFCCC 0_2_005CFCCC
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005D7DDC 0_2_005D7DDC
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005C2EB6 0_2_005C2EB6
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: String function: 005DFEFC appears 42 times
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: String function: 005E07A0 appears 31 times
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: String function: 005DFFD0 appears 56 times
Uses 32bit PE files
Source: ET7GnkzV1D.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: sus39.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005C7727 GetLastError,FormatMessageW, 0_2_005C7727
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005DB0CE CLSIDFromString,CoCreateInstance, 0_2_005DB0CE
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005DB6D2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 0_2_005DB6D2
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Command line argument: sfxname 0_2_005DF05C
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Command line argument: sfxstime 0_2_005DF05C
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Command line argument: p0` 0_2_005DF05C
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Command line argument: STARTDLG 0_2_005DF05C
Source: ET7GnkzV1D.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ET7GnkzV1D.exe ReversingLabs: Detection: 71%
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe File read: C:\Users\user\Desktop\ET7GnkzV1D.exe Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: mshtml.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: msimtf.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: thumbcache.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Section loaded: networkexplorer.dll Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Automated click: OK
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Automated click: OK
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Automated click: OK
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Automated click: OK
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Automated click: OK
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Automated click: OK
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Automated click: OK
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Automated click: OK
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: ET7GnkzV1D.exe Static file information: File size 1559368 > 1048576
Source: ET7GnkzV1D.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ET7GnkzV1D.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ET7GnkzV1D.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ET7GnkzV1D.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ET7GnkzV1D.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ET7GnkzV1D.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: ET7GnkzV1D.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: ET7GnkzV1D.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: ET7GnkzV1D.exe
Source: ET7GnkzV1D.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ET7GnkzV1D.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ET7GnkzV1D.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ET7GnkzV1D.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ET7GnkzV1D.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains an invalid checksum
Source: ET7GnkzV1D.exe Static PE information: real checksum: 0x53bcc should be: 0x18c252
PE file contains sections with non-standard names
Source: ET7GnkzV1D.exe Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005E07F0 push ecx; ret 0_2_005E0803
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005DFEFC push eax; ret 0_2_005DFF1A
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Memory allocated: 73E0000 memory reserve | memory write watch Jump to behavior
Found evaded block containing many API calls
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Evaded block: after key decision
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005DD420 SendDlgItemMessageW,GetDlgItem,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_005DD420
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005CBA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_005CBA94
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005DF82F VirtualQuery,GetSystemInfo, 0_2_005DF82F
Source: ET7GnkzV1D.exe, 00000000.00000003.2452291158.000000000BC5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:dJ
Source: ET7GnkzV1D.exe, 00000000.00000003.2729022593.000000000BC4E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: ET7GnkzV1D.exe, 00000000.00000002.2934766672.0000000002D09000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: ET7GnkzV1D.exe, 00000000.00000003.2592396114.000000000E91F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:3
Source: ET7GnkzV1D.exe, 00000000.00000003.1893705518.000000000BC55000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: ET7GnkzV1D.exe, 00000000.00000003.2728807838.000000000E91F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: ET7GnkzV1D.exe, 00000000.00000002.2934766672.0000000002D09000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005E0A0A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_005E0A0A
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005E91B0 mov eax, dword ptr fs:[00000030h] 0_2_005E91B0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005ED1F0 GetProcessHeap, 0_2_005ED1F0
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005E0A0A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_005E0A0A
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005E0B9D SetUnhandledExceptionFilter, 0_2_005E0B9D
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005E0D8A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_005E0D8A
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005E4FEF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_005E4FEF
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005E0826 cpuid 0_2_005E0826
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: GetLocaleInfoW,GetNumberFormatW, 0_2_005DC093
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005DF05C GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,CloseHandle, 0_2_005DF05C
Source: C:\Users\user\Desktop\ET7GnkzV1D.exe Code function: 0_2_005CC365 GetVersionExW, 0_2_005CC365
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1527492 Sample: ET7GnkzV1D.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 39 7 Multi AV Scanner detection for submitted file 2->7 9 Machine Learning detection for sample 2->9 5 ET7GnkzV1D.exe 1 24 2->5         started        process3
No contacted IP infos