Windows Analysis Report
01_extracted.exe

Overview

General Information

Sample name: 01_extracted.exe
Analysis ID: 1538176
MD5: 4af13587ab5e2b2b7a19282da972396f
SHA1: 638deb78a4feba29c2efd1e4d3d168ac8c30528b
SHA256: a53c7b06ef5d3fd8bd441323f55e201cef90753849674d8cfa3e8b2f626f4f19
Tags: exeuser-Racco42
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
OS version to string mapping found (often used in BOTs)
One or more processes crash
Potential key logger detected (key state polling based)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 01_extracted.exe ReversingLabs: Detection: 57%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.6% probability
Machine Learning detection for sample
Source: 01_extracted.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 01_extracted.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C8449B GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00C8449B
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C8C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00C8C7E8
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C8C75D FindFirstFileW,FindClose, 0_2_00C8C75D
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C8F021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00C8F021
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C8F17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00C8F17E
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C8F47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00C8F47F
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C83833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00C83833
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C83B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00C83B56
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C8BD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00C8BD48
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C92404 InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 0_2_00C92404
Source: Amcache.hve.3.dr String found in binary or memory: http://upx.sf.net
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C9407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_00C9407C
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C9427A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00C9427A
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C9407C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_00C9407C
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C8003A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 0_2_00C8003A
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00CACB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_00CACB26

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: C:\Users\user\Desktop\01_extracted.exe Code function: This is a third-party compiled AutoIt script. 0_2_00C23B4C
Source: 01_extracted.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 01_extracted.exe, 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_2ab603ed-b
Source: 01_extracted.exe, 00000000.00000002.1763199710.0000000000CD4000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer" memstr_2dcf8300-e
Source: 01_extracted.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_c86d27c2-8
Source: 01_extracted.exe String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer" memstr_9d491f07-2
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C8A279: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle, 0_2_00C8A279
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C78638 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_00C78638
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C85264 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_00C85264
Detected potential crypto function
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C2E800 0_2_00C2E800
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C2E060 0_2_00C2E060
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C34140 0_2_00C34140
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C42345 0_2_00C42345
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C56452 0_2_00C56452
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00CA0465 0_2_00CA0465
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C525AE 0_2_00C525AE
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C4277A 0_2_00C4277A
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00CA08E2 0_2_00CA08E2
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C36841 0_2_00C36841
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C569C4 0_2_00C569C4
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C38968 0_2_00C38968
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C5890F 0_2_00C5890F
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C7E928 0_2_00C7E928
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C88932 0_2_00C88932
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C4CCA1 0_2_00C4CCA1
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C56F36 0_2_00C56F36
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C370FE 0_2_00C370FE
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C33190 0_2_00C33190
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C21287 0_2_00C21287
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C4F359 0_2_00C4F359
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C43307 0_2_00C43307
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C35680 0_2_00C35680
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C41604 0_2_00C41604
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C358C0 0_2_00C358C0
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C47813 0_2_00C47813
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C4DAF5 0_2_00C4DAF5
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C41AF8 0_2_00C41AF8
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C59C35 0_2_00C59C35
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C2FE40 0_2_00C2FE40
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00CA7E0D 0_2_00CA7E0D
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C41F10 0_2_00C41F10
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C4BF26 0_2_00C4BF26
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\01_extracted.exe Code function: String function: 00C48A80 appears 42 times
Source: C:\Users\user\Desktop\01_extracted.exe Code function: String function: 00C40C63 appears 70 times
Source: C:\Users\user\Desktop\01_extracted.exe Code function: String function: 00C27F41 appears 35 times
One or more processes crash
Source: C:\Users\user\Desktop\01_extracted.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 652
Uses 32bit PE files
Source: 01_extracted.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engine Classification label: mal60.evad.winEXE@2/6@0/0
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C8A0F4 GetLastError,FormatMessageW, 0_2_00C8A0F4
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C784F3 AdjustTokenPrivileges,CloseHandle, 0_2_00C784F3
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C78AA3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_00C78AA3
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C8B3BF SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 0_2_00C8B3BF
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C9EF21 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_00C9EF21
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C984D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear, 0_2_00C984D0
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C24FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_00C24FE9
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7096
Source: C:\Users\user\Desktop\01_extracted.exe File created: C:\Users\user\AppData\Local\Temp\indivisibility Jump to behavior
Source: 01_extracted.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\01_extracted.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 01_extracted.exe ReversingLabs: Detection: 57%
Source: unknown Process created: C:\Users\user\Desktop\01_extracted.exe "C:\Users\user\Desktop\01_extracted.exe"
Source: C:\Users\user\Desktop\01_extracted.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 652
Source: C:\Users\user\Desktop\01_extracted.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\01_extracted.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\01_extracted.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\01_extracted.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\01_extracted.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\01_extracted.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\01_extracted.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\01_extracted.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\01_extracted.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\01_extracted.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\01_extracted.exe Section loaded: wldp.dll Jump to behavior
Source: 01_extracted.exe Static file information: File size 1564160 > 1048576
Source: 01_extracted.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 01_extracted.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 01_extracted.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 01_extracted.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 01_extracted.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 01_extracted.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 01_extracted.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 01_extracted.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 01_extracted.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 01_extracted.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 01_extracted.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 01_extracted.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C9C104 LoadLibraryA,GetProcAddress, 0_2_00C9C104
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C702D4 push ecx; ret 0_2_00C703D0
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C703D6 push ecx; ret 0_2_00C703D8
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C703D2 push ecx; ret 0_2_00C703D4
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C88538 push FFFFFF8Bh; iretd 0_2_00C8853A
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C4E88F push edi; ret 0_2_00C4E891
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C4E9A8 push esi; ret 0_2_00C4E9AA
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C48AC5 push ecx; ret 0_2_00C48AD8
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C4EB83 push esi; ret 0_2_00C4EB85
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C4EC6C push edi; ret 0_2_00C4EC6E
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C311AD push cs; ret 0_2_00C311AE
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C311B0 push cs; ret 0_2_00C311B6
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C31118 push cs; ret 0_2_00C3111E
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C31120 push cs; ret 0_2_00C311AA
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C354D4 push edx; ret 0_2_00C354EA
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C3548B push ebx; ret 0_2_00C354A6
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C354A7 push eax; ret 0_2_00C354B6
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C35474 push ebx; ret 0_2_00C3548A
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C35404 push ebx; ret 0_2_00C35436
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C35543 push ebx; ret 0_2_00C3554A
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C3554B push ebx; ret 0_2_00C3554E
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C35501 push edx; ret 0_2_00C35516
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C35518 push eax; ret 0_2_00C35542
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C317E3 push ss; ret 0_2_00C317EC
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C317ED push ss; ret 0_2_00C317F0
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C317FD push ss; ret 0_2_00C31800
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C24A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00C24A35
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00CA53DF IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_00CA53DF
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C43307 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00C43307
Source: C:\Users\user\Desktop\01_extracted.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\01_extracted.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\01_extracted.exe API coverage: 3.6 %
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C8449B GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00C8449B
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C8C7E8 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00C8C7E8
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C8C75D FindFirstFileW,FindClose, 0_2_00C8C75D
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C8F021 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00C8F021
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C8F17E SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00C8F17E
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C8F47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00C8F47F
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C83833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00C83833
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C83B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00C83B56
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C8BD48 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00C8BD48
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C24AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00C24AFE
Source: Amcache.hve.3.dr Binary or memory string: VMware
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\01_extracted.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\01_extracted.exe Process queried: DebugPort Jump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C9401F BlockInput, 0_2_00C9401F
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C23B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00C23B4C
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C55BFC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00C55BFC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C9C104 LoadLibraryA,GetProcAddress, 0_2_00C9C104
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C781D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00C781D4
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C4A2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00C4A2D5
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C4A2A4 SetUnhandledExceptionFilter, 0_2_00C4A2A4
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C78A73 LogonUserW, 0_2_00C78A73
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C23B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00C23B4C
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C24A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00C24A35
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C84CCE mouse_event, 0_2_00C84CCE
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C781D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00C781D4
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C84A08 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_00C84A08
Source: 01_extracted.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 01_extracted.exe Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C487AB cpuid 0_2_00C487AB
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C55007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00C55007
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C6215F GetUserNameW, 0_2_00C6215F
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C540BA __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_00C540BA
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C24AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00C24AFE
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.3.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: MsMpEng.exe
OS version to string mapping found (often used in BOTs)
Source: 01_extracted.exe Binary or memory string: WIN_81
Source: 01_extracted.exe Binary or memory string: WIN_XP
Source: 01_extracted.exe Binary or memory string: WIN_XPe
Source: 01_extracted.exe Binary or memory string: WIN_VISTA
Source: 01_extracted.exe Binary or memory string: WIN_7
Source: 01_extracted.exe Binary or memory string: WIN_8
Source: 01_extracted.exe Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C96399 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 0_2_00C96399
Source: C:\Users\user\Desktop\01_extracted.exe Code function: 0_2_00C9685D socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_00C9685D
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1538176 Sample: 01_extracted.exe Startdate: 20/10/2024 Architecture: WINDOWS Score: 60 14 Multi AV Scanner detection for submitted file 2->14 16 Binary is likely a compiled AutoIt script file 2->16 18 Machine Learning detection for sample 2->18 20 AI detected suspicious sample 2->20 6 01_extracted.exe 1 2->6         started        process3 signatures4 22 Binary is likely a compiled AutoIt script file 6->22 9 WerFault.exe 21 16 6->9         started        process5 file6 12 C:\ProgramData\Microsoft\...\Report.wer, Unicode 9->12 dropped
No contacted IP infos