Click to jump to signature section
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | ReversingLabs: Detection: 66% |
Source: Wind0ws7l0aderV3.4875.exe | ReversingLabs: Detection: 63% |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Joe Sandbox ML: detected |
Source: Wind0ws7l0aderV3.4875.exe | Joe Sandbox ML: detected |
Source: Wind0ws7l0aderV3.4875.exe | Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
Source: | Binary string: c:\RB\REALbasic\REALbasic Visual Studio\REALbasic\release\X86RunHoudini.pdbt[ source: WindowsLoader.exe, 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp |
Source: | Binary string: c:\RB\REALbasic\REALbasic Visual Studio\REALbasic\release\X86RunHoudini.pdb source: WindowsLoader.exe, WindowsLoader.exe, 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp |
Source: | Binary string: bootsect.pdb source: WindowsLoader.exe, 00000001.00000003.1639897139.000000000509C000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe, 00000001.00000002.2876690440.00000000028ED000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe.0.dr |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_00DA5AE0 FindFirstFileA,FindNextFileA,FindClose, | 1_2_00DA5AE0 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_02696A40 FindFirstFileA,FindNextFileA,FindClose, | 1_2_02696A40 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_026B5B80 FindFirstFileA,FindNextFileA,FindClose, | 1_2_026B5B80 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_026D52A0 FindFirstFileA,FindNextFileA,FindClose, | 1_2_026D52A0 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_026F3FB0 FindFirstFileA,FindNextFileA,FindClose, | 1_2_026F3FB0 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_02703CC0 FindFirstFileA,FindNextFileA,FindClose, | 1_2_02703CC0 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_02F9FAB0 FindFirstFileA,FindNextFileA,FindClose, | 1_2_02F9FAB0 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_1000F790 FindFirstFileA,FindNextFileA,FindClose, | 1_2_1000F790 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_0053A130 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,GlobalUnWire,GlobalAlloc,GlobalSize,GlobalFix,GlobalUnWire,SetClipboardData,GlobalAlloc,GlobalSize,GlobalFix,GlobalUnWire,SetClipboardData, | 1_2_0053A130 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_0053A130 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,GlobalUnWire,GlobalAlloc,GlobalSize,GlobalFix,GlobalUnWire,SetClipboardData,GlobalAlloc,GlobalSize,GlobalFix,GlobalUnWire,SetClipboardData, | 1_2_0053A130 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_004159E0 GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount, | 1_2_004159E0 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_005586C0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState, | 1_2_005586C0 |
Source: Wind0ws7l0aderV3.4875.exe, 00000000.00000000.1620043589.0000000000794000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: This is a third-party compiled AutoIt script. | memstr_9caf6c5c-e |
Source: Wind0ws7l0aderV3.4875.exe, 00000000.00000000.1620043589.0000000000794000.00000002.00000001.01000000.00000003.sdmp | String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer" | memstr_57dc25a1-0 |
Source: Wind0ws7l0aderV3.4875.exe | String found in binary or memory: This is a third-party compiled AutoIt script. | memstr_53f12a50-5 |
Source: Wind0ws7l0aderV3.4875.exe | String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer" | memstr_5d1a8329-6 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_00576849 | 1_2_00576849 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_00571427 | 1_2_00571427 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_005196C0 | 1_2_005196C0 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_0040CEF0 | 1_2_0040CEF0 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_0051A770 | 1_2_0051A770 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_00519F00 | 1_2_00519F00 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_00DA25F0 | 1_2_00DA25F0 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_02693550 | 1_2_02693550 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_026B10E9 | 1_2_026B10E9 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_026B25C0 | 1_2_026B25C0 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_026F1C50 | 1_2_026F1C50 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_026F1310 | 1_2_026F1310 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_02F9BE90 | 1_2_02F9BE90 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_02F92110 | 1_2_02F92110 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_10009C00 | 1_2_10009C00 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_100114A0 | 1_2_100114A0 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_10004DC0 | 1_2_10004DC0 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_1000DACB | 1_2_1000DACB |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_100087C0 | 1_2_100087C0 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_0279321C | 1_2_0279321C |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_0278901E | 1_2_0278901E |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_0274A0FD | 1_2_0274A0FD |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_027494EF | 1_2_027494EF |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_0274BA1A | 1_2_0274BA1A |
Source: Joe Sandbox View | Dropped File: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe 2F2ABA1E074F5F4BAA08B524875461889F8F04D4FFC43972AC212E286022AB94 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: String function: 02F974B0 appears 31 times | |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: String function: 004AB970 appears 76 times | |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: String function: 004F1FC0 appears 31 times | |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: String function: 10001000 appears 41 times | |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: String function: 004F1F50 appears 88 times | |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: String function: 005253E0 appears 88 times | |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: String function: 004C9900 appears 41 times | |
Source: WindowsLoader.exe.0.dr | Static PE information: Resource name: RT_CURSOR type: Microsoft a.out overlay pure segmented standalone word-swapped not-stripped pre-SysV V3.0 386 small model executable not stripped |
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe | Section loaded: wsock32.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe | Section loaded: winmm.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe | Section loaded: mpr.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe | Section loaded: wininet.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: winmm.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: wsock32.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: propsys.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: wbemcomn.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: amsi.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: dataexchange.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: d3d11.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: dcomp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: dxgi.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: twinapi.appcore.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: textshaping.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: riched32.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: riched20.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: usp10.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: msls31.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: msftedit.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: windows.globalization.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: bcp47langs.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: bcp47mrm.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: globinputhost.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: explorerframe.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: textinputframework.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: coreuicomponents.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: coremessaging.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: ntmarta.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: Wind0ws7l0aderV3.4875.exe | Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE |
Source: WindowsLoader.exe.0.dr | Static PE information: Section: UPX1 ZLIB complexity 0.9983461850649351 |
Source: WindowsLoader.exe.0.dr | Binary string: \ArcName\multi(0)disk(0)rdisk(1)\ArcName\multi(0)disk(0)rdisk(0)multi(%d)disk(%d)rdisk(%d)FirmwareBootDevice\Registry\Machine\SYSTEM\CurrentControlSet\Control%s\Partition%lu\Partition0SystemPartition\Registry\Machine\SYSTEM\CurrentControlSet\Control\Syspart\Device\Harddisk%lu\Partition%luMININTSystemStartOptions%s%s\ArcName\multi(%d)disk(%d)rdisk(%d)partition(%d) |
Source: classification engine | Classification label: mal80.evad.winEXE@3/2@0/0 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_00DA1462 CoInitialize,CoCreateInstance, | 1_2_00DA1462 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Mutant created: \Sessions\1\BaseNamedObjects\WIN7LDRMU |
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe | File created: C:\Users\user\AppData\Local\Temp\aut2507.tmp | Jump to behavior |
Source: Wind0ws7l0aderV3.4875.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: Wind0ws7l0aderV3.4875.exe | ReversingLabs: Detection: 63% |
Source: unknown | Process created: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe | |
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe | Process created: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | |
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe | Process created: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32 | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Window found: window name: SysTabControl32 | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | File opened: C:\Windows\SysWOW64\RICHED32.DLL | Jump to behavior |
Source: Window Recorder | Window detected: More than 3 window changes detected |
Source: Wind0ws7l0aderV3.4875.exe | Static file information: File size 4612608 > 1048576 |
Source: Wind0ws7l0aderV3.4875.exe | Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x39da00 |
Source: Wind0ws7l0aderV3.4875.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: Wind0ws7l0aderV3.4875.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: Wind0ws7l0aderV3.4875.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: Wind0ws7l0aderV3.4875.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: Wind0ws7l0aderV3.4875.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: Wind0ws7l0aderV3.4875.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: Wind0ws7l0aderV3.4875.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: | Binary string: c:\RB\REALbasic\REALbasic Visual Studio\REALbasic\release\X86RunHoudini.pdbt[ source: WindowsLoader.exe, 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp |
Source: | Binary string: c:\RB\REALbasic\REALbasic Visual Studio\REALbasic\release\X86RunHoudini.pdb source: WindowsLoader.exe, WindowsLoader.exe, 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp |
Source: | Binary string: bootsect.pdb source: WindowsLoader.exe, 00000001.00000003.1639897139.000000000509C000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe, 00000001.00000002.2876690440.00000000028ED000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe.0.dr |
Source: Wind0ws7l0aderV3.4875.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: Wind0ws7l0aderV3.4875.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: Wind0ws7l0aderV3.4875.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: Wind0ws7l0aderV3.4875.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: Wind0ws7l0aderV3.4875.exe | Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_0044E350 LoadLibraryA,GetProcAddress,GetLongPathNameW,GetProcAddress, | 1_2_0044E350 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_00568521 push ecx; ret | 1_2_00568534 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_100179F0 push eax; ret | 1_2_10017BE1 |
Source: initial sample | Static PE information: section name: UPX0 |
Source: initial sample | Static PE information: section name: UPX1 |
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe | File created: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Jump to dropped file |
Source: WindowsLoader.exe.0.dr | Binary or memory string: bcdedit.exe |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_00482F50 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoInitialize, | 1_2_00482F50 |
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | System information queried: FirmwareTableInformation | Jump to behavior |
Source: WindowsLoader.exe, 00000001.00000002.2876006832.0000000000C40000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe, 00000001.00000003.1639897139.000000000509C000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe.0.dr | Binary or memory string: SBIEDLL.DLL |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosDate | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion | Jump to behavior |
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe | Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess | graph_0-614 |
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe | API coverage: 7.0 % |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | API coverage: 4.0 % |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Product from Win32_BaseBoard |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_00DA5AE0 FindFirstFileA,FindNextFileA,FindClose, | 1_2_00DA5AE0 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_02696A40 FindFirstFileA,FindNextFileA,FindClose, | 1_2_02696A40 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_026B5B80 FindFirstFileA,FindNextFileA,FindClose, | 1_2_026B5B80 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_026D52A0 FindFirstFileA,FindNextFileA,FindClose, | 1_2_026D52A0 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_026F3FB0 FindFirstFileA,FindNextFileA,FindClose, | 1_2_026F3FB0 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_02703CC0 FindFirstFileA,FindNextFileA,FindClose, | 1_2_02703CC0 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_02F9FAB0 FindFirstFileA,FindNextFileA,FindClose, | 1_2_02F9FAB0 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_1000F790 FindFirstFileA,FindNextFileA,FindClose, | 1_2_1000F790 |
Source: WindowsLoader.exe, 00000001.00000002.2876006832.0000000000C40000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe, 00000001.00000003.1639897139.000000000509C000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe.0.dr | Binary or memory string: Created encrypted hyper-v loader |
Source: WindowsLoader.exe, 00000001.00000002.2875761773.00000000008CE000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll< |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | API call chain: ExitProcess graph end node | graph_1-79313 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | API call chain: ExitProcess graph end node | graph_1-80220 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | API call chain: ExitProcess graph end node | graph_1-79453 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Process information queried: ProcessInformation | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Process queried: DebugPort | Jump to behavior |
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe | Code function: 0_2_00715A39 IsDebuggerPresent, | 0_2_00715A39 |
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe | Code function: 0_2_00715BFC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, | 0_2_00715BFC |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_0044E350 LoadLibraryA,GetProcAddress,GetLongPathNameW,GetProcAddress, | 1_2_0044E350 |
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe | Code function: 0_2_0070A2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 0_2_0070A2D5 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_00566120 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 1_2_00566120 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_005662C8 _malloc,std::exception::exception,__CxxThrowException@8,__set_abort_behavior,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 1_2_005662C8 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_0056AB47 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 1_2_0056AB47 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_004D91C0 FindWindowW,FindWindowA,ShowWindow,GetActiveWindow,GetMenu,GetMenu,GetSystemMetrics,GetMenu,SetMenu,SendMessageA,GetWindowLongA,GetWindowRect,ScreenToClient,ScreenToClient,ScreenToClient,GetWindowLongA,GetWindowRect,MoveWindow, | 1_2_004D91C0 |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_004D91C0 FindWindowW,FindWindowA,ShowWindow,GetActiveWindow,GetMenu,GetMenu,GetSystemMetrics,GetMenu,SetMenu,SendMessageA,GetWindowLongA,GetWindowRect,ScreenToClient,ScreenToClient,ScreenToClient,GetWindowLongA,GetWindowRect,MoveWindow, | 1_2_004D91C0 |
Source: Wind0ws7l0aderV3.4875.exe | Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning |
Source: WindowsLoader.exe, 00000001.00000002.2876006832.0000000000C40000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe, 00000001.00000003.1639897139.000000000509C000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe.0.dr | Binary or memory string: Shell_TrayWnd |
Source: WindowsLoader.exe, 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp | Binary or memory string: uMmenuShutdownSHELL_TRAYWNDSHELL_TRAYWND |
Source: WindowsLoader.exe, WindowsLoader.exe, 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp | Binary or memory string: SHELL_TRAYWND |
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe | Code function: 1_2_00DA5770 cpuid | 1_2_00DA5770 |