Windows Analysis Report
AFCMgr.exe

Overview

General Information

Sample name: AFCMgr.exe
Analysis ID: 1530832
MD5: 3cbda14f9127caa94ea6bdf039cfc4a4
SHA1: 4e4a467925fea70c95cd7e575280ca44f3909c0d
SHA256: 67f8779d615bb34cf7d6204d412c984cb680c5ee155b8397b56f3d773b8d538e
Infos:

Detection

Score: 3
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: AFCMgr.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\AFCMgr.exe Code function: 4x nop then push ebp 0_2_00547170
Source: C:\Users\user\Desktop\AFCMgr.exe Code function: 4x nop then push ebp 0_2_005AD220
Source: C:\Users\user\Desktop\AFCMgr.exe Code function: 4x nop then push ebp 0_2_005F43E0
Source: C:\Users\user\Desktop\AFCMgr.exe Code function: 4x nop then push ebp 0_2_004C7580
Source: C:\Users\user\Desktop\AFCMgr.exe Code function: 4x nop then push ebp 0_2_0061F7A0
Source: C:\Users\user\Desktop\AFCMgr.exe Code function: 4x nop then sub esp, 14h 0_2_004C6930
Detected potential crypto function
Source: C:\Users\user\Desktop\AFCMgr.exe Code function: 0_2_00603130 0_2_00603130
Source: C:\Users\user\Desktop\AFCMgr.exe Code function: 0_2_00561100 0_2_00561100
Source: C:\Users\user\Desktop\AFCMgr.exe Code function: 0_2_0059C2C0 0_2_0059C2C0
Source: C:\Users\user\Desktop\AFCMgr.exe Code function: 0_2_00581290 0_2_00581290
Source: C:\Users\user\Desktop\AFCMgr.exe Code function: 0_2_0053A300 0_2_0053A300
Source: C:\Users\user\Desktop\AFCMgr.exe Code function: 0_2_0053F510 0_2_0053F510
Source: C:\Users\user\Desktop\AFCMgr.exe Code function: 0_2_00545640 0_2_00545640
Source: C:\Users\user\Desktop\AFCMgr.exe Code function: 0_2_00559750 0_2_00559750
Source: C:\Users\user\Desktop\AFCMgr.exe Code function: 0_2_004FC770 0_2_004FC770
Source: C:\Users\user\Desktop\AFCMgr.exe Code function: 0_2_00614AA0 0_2_00614AA0
Source: C:\Users\user\Desktop\AFCMgr.exe Code function: 0_2_005FDB10 0_2_005FDB10
Source: C:\Users\user\Desktop\AFCMgr.exe Code function: 0_2_005B3C90 0_2_005B3C90
Source: C:\Users\user\Desktop\AFCMgr.exe Code function: 0_2_00540D00 0_2_00540D00
Source: C:\Users\user\Desktop\AFCMgr.exe Code function: 0_2_0055BD00 0_2_0055BD00
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\AFCMgr.exe Code function: String function: 004E7F40 appears 37 times
Uses 32bit PE files
Source: AFCMgr.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: clean3.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\AFCMgr.exe Mutant created: NULL
Source: AFCMgr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\AFCMgr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: AFCMgr.exe String found in binary or memory: --Addr
Source: AFCMgr.exe String found in binary or memory: --Addr
Source: C:\Users\user\Desktop\AFCMgr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exe Section loaded: wintypes.dll Jump to behavior
Source: AFCMgr.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: AFCMgr.exe Static file information: File size 2256896 > 1048576
Source: AFCMgr.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x224000
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\AFCMgr.exe Code function: 0_2_00406808 pushad ; retn 0059h 0_2_00406A85
Source: C:\Users\user\Desktop\AFCMgr.exe Code function: 0_2_0040680C pushad ; retn 0059h 0_2_00406A85
Source: C:\Users\user\Desktop\AFCMgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\AFCMgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\AFCMgr.exe API coverage: 1.3 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1530832 Sample: AFCMgr.exe Startdate: 10/10/2024 Architecture: WINDOWS Score: 3 4 AFCMgr.exe 2->4         started       
No contacted IP infos