Windows Analysis Report
SecuriteInfo.com.FileRepMalware.14270.3068.exe

Overview

General Information

Sample name: SecuriteInfo.com.FileRepMalware.14270.3068.exe
Analysis ID: 1417368
MD5: dfbaf344699830430ae052254168d580
SHA1: de616823f575b133c413bd497d30f8b19e71dce6
SHA256: 51b0a985ab920e9f898b89bb10d3c5f6382179b046f3882a5697c1e2d8c88ba6
Tags: exe
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to detect sleep reduction / modifications
Sample or dropped binary is a compiled AutoHotkey binary
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.FileRepMalware.14270.3068.exe ReversingLabs: Detection: 13%
Source: SecuriteInfo.com.FileRepMalware.14270.3068.exe Virustotal: Detection: 45% Perma Link
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.6:49699 version: TLS 1.2
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400AE260 FindFirstFileW,FindClose,FindFirstFileW,FindClose, 0_2_00000001400AE260
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400AE160 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00000001400AE160
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014003C8E0 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose, 0_2_000000014003C8E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140066F50 FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,GetLastError,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_0000000140066F50
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400672B0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime,free,malloc, 0_2_00000001400672B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140081660 GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,wcsncpy,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError, 0_2_0000000140081660
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140067900 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose, 0_2_0000000140067900
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140081C50 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_0000000140081C50
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.159.133.233 162.159.133.233
Source: Joe Sandbox View IP Address: 162.159.133.233 162.159.133.233
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014007E490 _wcstoi64,InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetReadFile,GetTickCount,PeekMessageW,GetTickCount,InternetReadFile,InternetReadFileExA,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,InternetCloseHandle,fclose,DeleteFileW, 0_2_000000014007E490
Source: global traffic HTTP traffic detected: GET /attachments/946434985617944649/1187447469743804447/1img.png?ex=6596eba2&is=658476a2&hm=0a3291a0428a9a3a412cccb212e697c45efde312d3ae0a17818b7bba37eb978d& HTTP/1.1User-Agent: AutoHotkeyHost: cdn.discordapp.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /attachments/946434985617944649/1187447469492150292/3img.png?ex=6596eba2&is=658476a2&hm=e54785c353dcbe635c35016ed6a0babbb34588ac67d1176df058c308ee2bef44& HTTP/1.1User-Agent: AutoHotkeyHost: cdn.discordapp.comCache-Control: no-cacheCookie: __cf_bm=WAgSjmN_wP2eFedjicHfRrdUiKndDMaS86a4K75qnaQ-1711686061-1.0.1.1-w9CFE_AePNDy_Wk3xZI6zK2dF1cZjaN2undiK6NtC2SylUPBRZx1h1rEe28blv8UENKQFkTayXcFWGs54KEpLA; _cfuvid=NokBoZytmEIMqSMZLzeheyttRjABninEj.riDLOMx_M-1711686061063-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /attachments/946434985617944649/1187447469185974412/2img.png?ex=6596eba2&is=658476a2&hm=ceac553c8fa20a5a29d3a30fafcd5022ef44d33396c849d1a84b29a8507c87e5& HTTP/1.1User-Agent: AutoHotkeyHost: cdn.discordapp.comCache-Control: no-cacheCookie: __cf_bm=WAgSjmN_wP2eFedjicHfRrdUiKndDMaS86a4K75qnaQ-1711686061-1.0.1.1-w9CFE_AePNDy_Wk3xZI6zK2dF1cZjaN2undiK6NtC2SylUPBRZx1h1rEe28blv8UENKQFkTayXcFWGs54KEpLA; _cfuvid=NokBoZytmEIMqSMZLzeheyttRjABninEj.riDLOMx_M-1711686061063-0.0.1.1-604800000
Source: global traffic HTTP traffic detected: GET /attachments/946434985617944649/1187449788539613234/AnyDesk.exe?ex=6596edcb&is=658478cb&hm=1ccb90ac0e74e5fc5ff101f4716703308a02fb42540256a74e81a4d808fbe4ef& HTTP/1.1User-Agent: AutoHotkeyHost: cdn.discordapp.comCache-Control: no-cacheCookie: __cf_bm=WAgSjmN_wP2eFedjicHfRrdUiKndDMaS86a4K75qnaQ-1711686061-1.0.1.1-w9CFE_AePNDy_Wk3xZI6zK2dF1cZjaN2undiK6NtC2SylUPBRZx1h1rEe28blv8UENKQFkTayXcFWGs54KEpLA; _cfuvid=NokBoZytmEIMqSMZLzeheyttRjABninEj.riDLOMx_M-1711686061063-0.0.1.1-604800000
Source: unknown DNS traffic detected: queries for: cdn.discordapp.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Mar 2024 04:21:01 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: __cf_bm=WAgSjmN_wP2eFedjicHfRrdUiKndDMaS86a4K75qnaQ-1711686061-1.0.1.1-w9CFE_AePNDy_Wk3xZI6zK2dF1cZjaN2undiK6NtC2SylUPBRZx1h1rEe28blv8UENKQFkTayXcFWGs54KEpLA; path=/; expires=Fri, 29-Mar-24 04:51:01 GMT; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8V6xnPq1xbTgxH6gOWx21TemBvlKNtiv4oscg8DiiDreyU66khMHs4Y04SDY0%2Fupk7IHVOnOqHwUHTqOrzN45cRFfo3n9JskjwMUGXcz5%2FktyKp%2BKhQlCKtHeTGcuLzsaL3tlQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: _cfuvid=NokBoZytmEIMqSMZLzeheyttRjABninEj.riDLOMx_M-1711686061063-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 86bd12198ddc05ce-IADalt-svc: h3=":443"; ma=86400
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Mar 2024 04:21:01 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EbHSRBjCGkqqNTK04oK6XceWlvmYyEiRupfFt2LLROR3P43X0Ng54r0g2dclIl1HE88oLzk4M0P8t3AwSofZllPcyza%2F6MyRYbVWEh0aP0Vw3%2Bc2LpY2qDoO3F5OHhxDHD7biA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 86bd121d38785a40-IADalt-svc: h3=":443"; ma=86400
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Mar 2024 04:21:02 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jjSik6EHcLiOpxxP1xAL6k%2BoMUGw42udkdzosPaF0VZ%2BoORFcx16y%2BGQX1GRx3Mh4cXbZf85fCscxFE4RUVXQs68LbsaTji7m4%2BEp4Nuuiu69k%2F5y4Ozg5cxfzbaFkoIylpYPA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 86bd12203afa5a45-IADalt-svc: h3=":443"; ma=86400
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 29 Mar 2024 04:21:02 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LjW5pURb%2BDcAIYFDC%2B%2B%2FKrte0TLhDJBEVjIZiQkp1uzrOEETOhAlg2bXCSWmxOxdAJeOABUb7IbycRwGXfD6OsxsjnQSEP4FEpLL0Ss9iQlfC5aJCmTvIGhKHH%2F38PLNLM2bdw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 86bd122319af20ba-IADalt-svc: h3=":443"; ma=86400
Source: Amcache.hve.0.dr String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.FileRepMalware.14270.3068.exe String found in binary or memory: https://autohotkey.com
Source: SecuriteInfo.com.FileRepMalware.14270.3068.exe String found in binary or memory: https://autohotkey.comCould
Source: SecuriteInfo.com.FileRepMalware.14270.3068.exe, 00000000.00000003.2082580723.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.14270.3068.exe, 00000000.00000002.3328171326.0000000000951000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/
Source: SecuriteInfo.com.FileRepMalware.14270.3068.exe String found in binary or memory: https://cdn.discordapp.com/attachments/946434985617944649/1187447469185974412/2img.png?ex=6596eba2&i
Source: SecuriteInfo.com.FileRepMalware.14270.3068.exe String found in binary or memory: https://cdn.discordapp.com/attachments/946434985617944649/1187447469492150292/3img.png?ex=6596eba2&i
Source: SecuriteInfo.com.FileRepMalware.14270.3068.exe String found in binary or memory: https://cdn.discordapp.com/attachments/946434985617944649/1187447469743804447/1img.png?ex=6596eba2&i
Source: SecuriteInfo.com.FileRepMalware.14270.3068.exe String found in binary or memory: https://cdn.discordapp.com/attachments/946434985617944649/1187449788539613234/AnyDesk.exe?ex=6596edc
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.6:49699 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400065E0 GetTickCount,OpenClipboard,GetTickCount,OpenClipboard, 0_2_00000001400065E0
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140006240 EmptyClipboard,GlobalUnlock,CloseClipboard,GlobalUnlock,GlobalFree,GlobalUnlock,CloseClipboard,SetClipboardData,GlobalUnlock,CloseClipboard,GlobalUnlock,CloseClipboard,GlobalUnlock,GlobalFree, 0_2_0000000140006240
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400B12C0 EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,GlobalFree,GlobalUnlock,CloseClipboard,GlobalUnlock,CloseClipboard, 0_2_00000001400B12C0
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400064C0 GetClipboardFormatNameW,GetClipboardData, 0_2_00000001400064C0
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140054F10 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetSystemMetrics,GetSystemMetrics,wcsncpy,GetDC,DestroyIcon,DeleteObject,GetIconInfo,CreateCompatibleDC,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,CreateCompatibleDC,free,malloc,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,free,free,free,free,malloc, 0_2_0000000140054F10
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400167C0 GetTickCount,PeekMessageW,GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount, 0_2_00000001400167C0
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140001ABC GlobalUnlock,CloseClipboard,SetTimer,GetTickCount,GetTickCount,GetMessageW,GetTickCount,GetFocus,TranslateAcceleratorW,GetKeyState,GetWindowLongW,IsWindowEnabled,GetKeyState,GetKeyState,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,PostMessageW,SendMessageW,SendMessageW,IsDialogMessageW,ShowWindow,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,IsDialogMessageW,SetCurrentDirectoryW,KillTimer, 0_2_0000000140001ABC

System Summary
barindex
Sample or dropped binary is a compiled AutoHotkey binary
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Window found: window name: AutoHotkey Jump to behavior
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014005F630: CreateFileW,DeviceIoControl,CloseHandle, 0_2_000000014005F630
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140081CD0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_0000000140081CD0
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140056130 0_2_0000000140056130
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014007E490 0_2_000000014007E490
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400B2650 0_2_00000001400B2650
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014008A6B0 0_2_000000014008A6B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400D2AC4 0_2_00000001400D2AC4
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014001EF90 0_2_000000014001EF90
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400D7010 0_2_00000001400D7010
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140001ABC 0_2_0000000140001ABC
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140041B60 0_2_0000000140041B60
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140049FF0 0_2_0000000140049FF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014004C050 0_2_000000014004C050
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400BE0A0 0_2_00000001400BE0A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014003A095 0_2_000000014003A095
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400620E0 0_2_00000001400620E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014005C0E0 0_2_000000014005C0E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400BC190 0_2_00000001400BC190
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400201B3 0_2_00000001400201B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014008E1C0 0_2_000000014008E1C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400501D8 0_2_00000001400501D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014009E220 0_2_000000014009E220
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014004622B 0_2_000000014004622B
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400A02D0 0_2_00000001400A02D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400D63B0 0_2_00000001400D63B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014004E3AB 0_2_000000014004E3AB
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014004A3C0 0_2_000000014004A3C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014004C3F0 0_2_000000014004C3F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014005A420 0_2_000000014005A420
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014000A420 0_2_000000014000A420
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400904AD 0_2_00000001400904AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400904BC 0_2_00000001400904BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400904D8 0_2_00000001400904D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400904FA 0_2_00000001400904FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400DE500 0_2_00000001400DE500
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014009051B 0_2_000000014009051B
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140090527 0_2_0000000140090527
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014009054D 0_2_000000014009054D
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014004654B 0_2_000000014004654B
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014009058E 0_2_000000014009058E
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140088581 0_2_0000000140088581
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014009A5C8 0_2_000000014009A5C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140092638 0_2_0000000140092638
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400286B0 0_2_00000001400286B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014002A760 0_2_000000014002A760
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014000278B 0_2_000000014000278B
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400B07C0 0_2_00000001400B07C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400807F0 0_2_00000001400807F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014005C840 0_2_000000014005C840
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014000A840 0_2_000000014000A840
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014007E860 0_2_000000014007E860
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140098880 0_2_0000000140098880
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014004C890 0_2_000000014004C890
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400588A0 0_2_00000001400588A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014009A8A5 0_2_000000014009A8A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140070900 0_2_0000000140070900
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140020920 0_2_0000000140020920
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014005092D 0_2_000000014005092D
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014005E950 0_2_000000014005E950
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140086990 0_2_0000000140086990
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400409A0 0_2_00000001400409A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400AC9B0 0_2_00000001400AC9B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014007A9C0 0_2_000000014007A9C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140008A60 0_2_0000000140008A60
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140072AE0 0_2_0000000140072AE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400B8B10 0_2_00000001400B8B10
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400AEB60 0_2_00000001400AEB60
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140052B90 0_2_0000000140052B90
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140050B92 0_2_0000000140050B92
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140048BA0 0_2_0000000140048BA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014008CC20 0_2_000000014008CC20
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014006EC20 0_2_000000014006EC20
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014007CC1F 0_2_000000014007CC1F
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400C8C50 0_2_00000001400C8C50
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140032C68 0_2_0000000140032C68
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140046CA0 0_2_0000000140046CA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140060CB9 0_2_0000000140060CB9
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140074D00 0_2_0000000140074D00
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140094D30 0_2_0000000140094D30
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400D6D3C 0_2_00000001400D6D3C
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140076D40 0_2_0000000140076D40
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140058D60 0_2_0000000140058D60
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140006D70 0_2_0000000140006D70
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400CEE20 0_2_00000001400CEE20
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140080E20 0_2_0000000140080E20
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140044E60 0_2_0000000140044E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014004AE70 0_2_000000014004AE70
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140012EF0 0_2_0000000140012EF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140054F10 0_2_0000000140054F10
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140018F60 0_2_0000000140018F60
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140050FB0 0_2_0000000140050FB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140127000 0_2_0000000140127000
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140015020 0_2_0000000140015020
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140065030 0_2_0000000140065030
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400B30B0 0_2_00000001400B30B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400110F0 0_2_00000001400110F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014009710B 0_2_000000014009710B
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140097119 0_2_0000000140097119
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140097124 0_2_0000000140097124
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014006D140 0_2_000000014006D140
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014007B150 0_2_000000014007B150
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140063160 0_2_0000000140063160
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014003F1A0 0_2_000000014003F1A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400751C0 0_2_00000001400751C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400971E0 0_2_00000001400971E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400971F9 0_2_00000001400971F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140097201 0_2_0000000140097201
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140097217 0_2_0000000140097217
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014005B270 0_2_000000014005B270
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140061280 0_2_0000000140061280
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140003286 0_2_0000000140003286
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400172D0 0_2_00000001400172D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014000D310 0_2_000000014000D310
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014005D390 0_2_000000014005D390
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400993B0 0_2_00000001400993B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400393C9 0_2_00000001400393C9
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400573E0 0_2_00000001400573E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014009D400 0_2_000000014009D400
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014007F420 0_2_000000014007F420
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014005F430 0_2_000000014005F430
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140059470 0_2_0000000140059470
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014009949B 0_2_000000014009949B
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400254A0 0_2_00000001400254A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014007B4C0 0_2_000000014007B4C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014004B4F0 0_2_000000014004B4F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014004F4F0 0_2_000000014004F4F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400855B0 0_2_00000001400855B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400715D0 0_2_00000001400715D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400635D0 0_2_00000001400635D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140051670 0_2_0000000140051670
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400156F0 0_2_00000001400156F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014005F700 0_2_000000014005F700
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014003F710 0_2_000000014003F710
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140043740 0_2_0000000140043740
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140019770 0_2_0000000140019770
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014005B7B0 0_2_000000014005B7B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400997DC 0_2_00000001400997DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400337DF 0_2_00000001400337DF
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140065860 0_2_0000000140065860
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140089870 0_2_0000000140089870
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400358E6 0_2_00000001400358E6
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400A9900 0_2_00000001400A9900
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400D1940 0_2_00000001400D1940
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014001B980 0_2_000000014001B980
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400D9990 0_2_00000001400D9990
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140053990 0_2_0000000140053990
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400179A0 0_2_00000001400179A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400719B0 0_2_00000001400719B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400059F0 0_2_00000001400059F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014004DA20 0_2_000000014004DA20
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014007DA28 0_2_000000014007DA28
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140069A60 0_2_0000000140069A60
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014006FA70 0_2_000000014006FA70
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140039AA0 0_2_0000000140039AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014003FAB0 0_2_000000014003FAB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014008FAE0 0_2_000000014008FAE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140073BA0 0_2_0000000140073BA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140031BA9 0_2_0000000140031BA9
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014008DBF3 0_2_000000014008DBF3
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014005DC20 0_2_000000014005DC20
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140099C21 0_2_0000000140099C21
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014004BC80 0_2_000000014004BC80
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014002BC90 0_2_000000014002BC90
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140097CA0 0_2_0000000140097CA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400CFCAC 0_2_00000001400CFCAC
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140057CB0 0_2_0000000140057CB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014001FD19 0_2_000000014001FD19
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014007BD2E 0_2_000000014007BD2E
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140047D40 0_2_0000000140047D40
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014000DDC0 0_2_000000014000DDC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014003DE00 0_2_000000014003DE00
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140063E50 0_2_0000000140063E50
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140013E60 0_2_0000000140013E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400A3ED0 0_2_00000001400A3ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140051EE0 0_2_0000000140051EE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140093EF0 0_2_0000000140093EF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014005FF02 0_2_000000014005FF02
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400DDF1C 0_2_00000001400DDF1C
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140099F2D 0_2_0000000140099F2D
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014004FF2B 0_2_000000014004FF2B
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140085F40 0_2_0000000140085F40
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014008FF50 0_2_000000014008FF50
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400BBF6B 0_2_00000001400BBF6B
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014006DF80 0_2_000000014006DF80
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014006BF90 0_2_000000014006BF90
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014004DFA0 0_2_000000014004DFA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014000FFD0 0_2_000000014000FFD0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: String function: 00000001400CA91C appears 395 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: String function: 00000001400403F0 appears 63 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: String function: 0000000140040740 appears 463 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: String function: 00000001400CB614 appears 38 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: String function: 00000001400CAB74 appears 60 times
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.FileRepMalware.14270.3068.exe Binary or memory string: OriginalFilename vs SecuriteInfo.com.FileRepMalware.14270.3068.exe
Source: SecuriteInfo.com.FileRepMalware.14270.3068.exe, 00000000.00000000.2064725844.000000014012A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename vs SecuriteInfo.com.FileRepMalware.14270.3068.exe
Source: SecuriteInfo.com.FileRepMalware.14270.3068.exe Binary or memory string: OriginalFilename vs SecuriteInfo.com.FileRepMalware.14270.3068.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Section loaded: coremessaging.dll Jump to behavior
Source: classification engine Classification label: mal56.evad.winEXE@3/5@1/1
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140041B60 CreateProcessW,CloseHandle,GetLastError,SetCurrentDirectoryW,GetFileAttributesW,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,CloseHandle,GetLastError,FormatMessageW, 0_2_0000000140041B60
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140081CD0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_0000000140081CD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140060CB9 wcsncpy,GetDiskFreeSpaceW,GetLastError,free,malloc, 0_2_0000000140060CB9
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140081F60 CreateToolhelp32Snapshot,Process32FirstW,_wcstoi64,Process32NextW,Process32NextW,CloseHandle,CloseHandle,CloseHandle, 0_2_0000000140081F60
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400620E0 _wcstoi64,CoCreateInstance,powf,powf,powf,log10,free,malloc,free,malloc, 0_2_00000001400620E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400207E0 FindResourceW,SizeofResource,LoadResource,LockResource, 0_2_00000001400207E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\1img.png Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.FileRepMalware.14270.3068.exe ReversingLabs: Detection: 13%
Source: SecuriteInfo.com.FileRepMalware.14270.3068.exe Virustotal: Detection: 45%
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: SecuriteInfo.com.FileRepMalware.14270.3068.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.FileRepMalware.14270.3068.exe Static file information: File size 1277440 > 1048576
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400B4300 LoadLibraryW,GetProcAddress, 0_2_00000001400B4300
PE file contains sections with non-standard names
Source: SecuriteInfo.com.FileRepMalware.14270.3068.exe Static PE information: section name: text
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014012A4CB push rbp; iretd 0_2_000000014012A4DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014009D078 push rsi; retf 0009h 0_2_000000014009D079
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400D912C push rbp; iretd 0_2_00000001400D9624
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400B2650 GetWindowThreadProcessId,GetForegroundWindow,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,BringWindowToTop, 0_2_00000001400B2650
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014009E220 SendMessageW,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,GetPropW,ShowWindow,GetUpdateRect,SendMessageW,GetWindowLongW,ShowWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,SetFocus,SendMessageW,ShowWindow,SetFocus,InvalidateRect,MapWindowPoints,InvalidateRect, 0_2_000000014009E220
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400B2480 GetForegroundWindow,IsWindowVisible,IsIconic,ShowWindow, 0_2_00000001400B2480
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140050882 IsZoomed,IsIconic, 0_2_0000000140050882
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400AE920 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen, 0_2_00000001400AE920
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014007A9C0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,CreateDCW,GetDC,GetPixel,DeleteDC,ReleaseDC,free,malloc,free,malloc, 0_2_000000014007A9C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400A29F0 CheckMenuItem,CheckMenuItem,GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetForegroundWindow,GetWindowThreadProcessId,SetForegroundWindow,SetForegroundWindow,TrackPopupMenuEx,PostMessageW,GetForegroundWindow,SetForegroundWindow, 0_2_00000001400A29F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140058D60 GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,WindowFromPoint,EnumChildWindows,GetClassNameW,EnumChildWindows,free,malloc, 0_2_0000000140058D60
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140044E60 IsWindow,DestroyWindow,GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,MonitorFromPoint,GetMonitorInfoW,IsWindow,CreateWindowExW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetWindowRect,SendMessageW,SendMessageW, 0_2_0000000140044E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140054F10 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetSystemMetrics,GetSystemMetrics,wcsncpy,GetDC,DestroyIcon,DeleteObject,GetIconInfo,CreateCompatibleDC,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,CreateCompatibleDC,free,malloc,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,free,free,free,free,malloc, 0_2_0000000140054F10
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400570B0 SendMessageW,IsWindowVisible,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,SendMessageW, 0_2_00000001400570B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140069800 GetTickCount,GetForegroundWindow,GetTickCount,GetWindowThreadProcessId,GetGUIThreadInfo,ClientToScreen,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,_itow, 0_2_0000000140069800
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140053990 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,CreateCompatibleDC,free,malloc,ReleaseDC,SelectObject,DeleteDC,DeleteObject,free,free,malloc,GetPixel,ReleaseDC,free,malloc,free,malloc, 0_2_0000000140053990
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140097CA0 SetWindowTextW,IsZoomed,IsIconic,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowLongW,GetWindowRect,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,SetFocus, 0_2_0000000140097CA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140097CA0 SetWindowTextW,IsZoomed,IsIconic,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowLongW,GetWindowRect,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,SetFocus, 0_2_0000000140097CA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140091D8D GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW, 0_2_0000000140091D8D
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140091D9D MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW, 0_2_0000000140091D9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140091D95 GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW, 0_2_0000000140091D95
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140091DAB MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW, 0_2_0000000140091DAB
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140097DCF ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow, 0_2_0000000140097DCF
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140097DC5 ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow, 0_2_0000000140097DC5
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140091DEF MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW, 0_2_0000000140091DEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140097DFA ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow, 0_2_0000000140097DFA
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140097E2C ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow, 0_2_0000000140097E2C
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140091E27 GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW, 0_2_0000000140091E27
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140091E36 GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW, 0_2_0000000140091E36
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140097E8A ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow, 0_2_0000000140097E8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140093EF0 GetWindowLongW,GetWindowLongW,SetWindowPos,EnableWindow,GetWindowRect,GetClientRect,MulDiv,MulDiv,GetWindowRect,GetClientRect,MulDiv,MulDiv,_wcstoi64,IsWindow,SetParent,SetWindowLongPtrW,SetParent,IsWindowVisible,IsIconic,SetWindowLongW,SetWindowLongW,SetWindowPos,InvalidateRect, 0_2_0000000140093EF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140097EE8 ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow, 0_2_0000000140097EE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140097F19 MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow, 0_2_0000000140097F19
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014008FF50 SendMessageW,MulDiv,MulDiv,free,free,free,free,free,free,free,free,free,free,free,free,COMRefPtr,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,DrawTextW,DrawTextW,GetCharABCWidthsW,MulDiv,GetSystemMetrics,GetSystemMetrics,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,SelectObject,ReleaseDC,SendMessageW,SendMessageW,GetClientRect,SetWindowLongW,SendMessageW,SetWindowLongW,MoveWindow,GetWindowRect,SendMessageW,GetWindowRect,MapWindowPoints,InvalidateRect,SetWindowPos,SetWindowPos,MapWindowPoints, 0_2_000000014008FF50
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140018F60 0_2_0000000140018F60
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Window / User API: foregroundWindowGot 826 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe API coverage: 1.4 %
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140018F60 0_2_0000000140018F60
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014001A970 GetKeyboardLayout followed by cmp: cmp dl, 00000019h and CTI: ja 000000014001AAEDh country: Russian (ru) 0_2_000000014001A970
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400229E7 GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 0000000140022C1Ah country: Urdu (ur) 0_2_00000001400229E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400229E7 GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 0000000140022C1Ah country: Inuktitut (iu) 0_2_00000001400229E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400229EF GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 0000000140022C1Ah country: Urdu (ur) 0_2_00000001400229EF
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400229EF GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 0000000140022C1Ah country: Inuktitut (iu) 0_2_00000001400229EF
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400229F6 GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 0000000140022C1Ah country: Urdu (ur) 0_2_00000001400229F6
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400229F6 GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 0000000140022C1Ah country: Inuktitut (iu) 0_2_00000001400229F6
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140022A1D GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 0000000140022C1Ah country: Urdu (ur) 0_2_0000000140022A1D
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140022A1D GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 0000000140022C1Ah country: Inuktitut (iu) 0_2_0000000140022A1D
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140022A41 GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 0000000140022C1Ah country: Urdu (ur) 0_2_0000000140022A41
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140022A41 GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 0000000140022C1Ah country: Inuktitut (iu) 0_2_0000000140022A41
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140022A65 GetKeyboardLayout followed by cmp: cmp ax, 0020h and CTI: je 0000000140022C1Ah country: Urdu (ur) 0_2_0000000140022A65
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140022A65 GetKeyboardLayout followed by cmp: cmp eax, 5dh and CTI: ja 0000000140022C1Ah country: Inuktitut (iu) 0_2_0000000140022A65
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140015020 GetKeyboardLayout followed by cmp: cmp ecx, 0ah and CTI: jl 0000000140015382h country: Spanish (es) 0_2_0000000140015020
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140059470 GetLocalTime followed by cmp: cmp word ptr [rbx], cx and CTI: je 00000001400597A3h 0_2_0000000140059470
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140059470 GetLocalTime followed by cmp: cmp dx, ax and CTI: je 0000000140059663h 0_2_0000000140059470
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400AE260 FindFirstFileW,FindClose,FindFirstFileW,FindClose, 0_2_00000001400AE260
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400AE160 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00000001400AE160
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014003C8E0 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose, 0_2_000000014003C8E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140066F50 FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,GetLastError,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose, 0_2_0000000140066F50
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400672B0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime,free,malloc, 0_2_00000001400672B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140081660 GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,wcsncpy,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError, 0_2_0000000140081660
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140067900 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose, 0_2_0000000140067900
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140081C50 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_0000000140081C50
Source: Amcache.hve.0.dr Binary or memory string: VMware
Source: Amcache.hve.0.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.0.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.0.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.0.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.0.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.0.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.0.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.0.dr Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: SecuriteInfo.com.FileRepMalware.14270.3068.exe, 00000000.00000002.3328171326.0000000000978000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.0.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: SecuriteInfo.com.FileRepMalware.14270.3068.exe, 00000000.00000002.3328940342.0000000003027000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:F[
Source: SecuriteInfo.com.FileRepMalware.14270.3068.exe, 00000000.00000002.3328171326.000000000093F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@n
Source: Amcache.hve.0.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.0.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.0.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.0.dr Binary or memory string: vmci.sys
Source: Amcache.hve.0.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.0.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.0.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.0.dr Binary or memory string: VMware20,1
Source: Amcache.hve.0.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.0.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.0.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.0.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.0.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.0.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.0.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.0.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.0.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.0.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.0.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe API call chain: ExitProcess graph end node
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140018080 BlockInput,free,BlockInput, 0_2_0000000140018080
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400CEB14 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00000001400CEB14
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400B4300 LoadLibraryW,GetProcAddress, 0_2_00000001400B4300
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400D8678 GetProcessHeap,HeapAlloc,_errno,_errno,__doserrno,_errno,GetProcessHeap,HeapFree,SetEndOfFile,_errno,__doserrno,GetLastError, 0_2_00000001400D8678
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400CEB14 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00000001400CEB14
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400D37C4 SetUnhandledExceptionFilter, 0_2_00000001400D37C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400D1920 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00000001400D1920
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140041B60 CreateProcessW,CloseHandle,GetLastError,SetCurrentDirectoryW,GetFileAttributesW,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,CloseHandle,GetLastError,FormatMessageW, 0_2_0000000140041B60
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400172D0 GetCurrentThreadId,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,BlockInput,GetForegroundWindow,GetAsyncKeyState,keybd_event,GetAsyncKeyState,keybd_event,GetAsyncKeyState,BlockInput, 0_2_00000001400172D0
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140018AE0 mouse_event, 0_2_0000000140018AE0
Source: SecuriteInfo.com.FileRepMalware.14270.3068.exe Binary or memory string: Program Manager
Source: SecuriteInfo.com.FileRepMalware.14270.3068.exe Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.FileRepMalware.14270.3068.exe, SecuriteInfo.com.FileRepMalware.14270.3068.exe, 00000000.00000002.3327786647.00000000007FC000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: Progman
Source: SecuriteInfo.com.FileRepMalware.14270.3068.exe Binary or memory string: TextLEFTLRIGHTRMIDDLEMX1X2WUWDWLWR{Blind}{ClickLl{}^+!#{}RawTempASC U+ ,LWin RWin LShift RShift LCtrl RCtrl LAlt RAlt SYSTEM\CurrentControlSet\Control\Keyboard Layouts\Layout FileKbdLayerDescriptorsc%03Xvk%02XSCALTDOWNALTUPSHIFTDOWNSHIFTUPCTRLDOWNCONTROLDOWNCTRLUPCONTROLUPLWINDOWNLWINUPRWINDOWNRWINUPRtlGetVersionntdll.dll%u.%u.%uStdOutAllUnreachableClassOverwriteUseEnvLocalSameAsGlobalUseUnsetGlobalUseUnsetLocalYYYYYWeekYearYDayWorkingDirWinDirWinDelayWDayUserNameTitleMatchModeSpeedTitleMatchModeTimeSinceThisHotkeyTimeSincePriorHotkeyTimeIdlePhysicalTimeIdleMouseTimeIdleKeyboardTimeIdleTickCountThisMenuItemPosThisMenuItemThisMenuThisLabelThisHotkeyThisFuncStoreCapslockModeStartupCommonStartupStartMenuCommonStartMenuSecScriptNameScriptHwndScriptFullPathScriptDirScreenWidthScreenHeightScreenDPIRegViewPtrSizeProgramsCommonProgramsPriorKeyPriorHotkeyOSVersionOSTypeNumBatchLinesNowUTCNowMyDocumentsMSecMouseDelayPlayMouseDelayMonMMMMMMMMMMinMDayLoopRegTypeLoopRegTimeModifiedLoopRegSubKeyLoopRegNameLoopRegKeyLoopReadLineLoopFileTimeModifiedLoopFileTimeCreatedLoopFileTimeAccessedLoopFileSizeMBLoopFileSizeKBLoopFileSizeLoopFileShortPathLoopFileShortNameLoopFilePathLoopFileNameLoopFileLongPathLoopFileFullPathLoopFileExtLoopFileDirLoopFileAttribLoopFieldLineNumberLineFileLastErrorLanguageKeyDurationPlayKeyDurationKeyDelayPlayKeyDelayIsUnicodeIsSuspendedIsPausedIsCriticalIsCompiledIsAdminIs64bitOSIPAddress4IPAddress3IPAddress2IPAddress1InitialWorkingDirIndexIconTipIconNumberIconHiddenIconFileHourGuiYGuiXGuiWidthGuiHeightGuiEventGuiControlEventFormatIntegerFormatFloatExitReasonEventInfoEndCharDesktopCommonDesktopDefaultTreeViewDefaultMouseSpeedDefaultListViewDefaultGuiDDDDDDDDDCursorCoordModeToolTipCoordModePixelCoordModeMouseCoordModeMenuCoordModeCaretControlDelayComputerNameCaretYCaretXBatchLinesAppDataCommonAppDataAhkVersionAhkPathTrueProgramFilesFalseComSpecClipboardAllClipboard...%s[%Iu of %Iu]: %-1.60s%sPropertyRegExMatch\:\:REG_SZREG_EXPAND_SZREG_MULTI_SZREG_DWORDREG_BINARYDefault3264LineRegExFASTSLOWAscChrDerefHTMLModPowExpSqrtLogLnRoundCeilFloorAbsSinCosTanASinACosATanBitAndBitOrBitXOrBitNotBitShiftLeftBitShiftRightAddDestroyNamePriorityInterruptNoTimersLabelTypeCountLocalePermitMouseSendAndMouseMouseMoveOffPlayEventThenEventThenPlayYESNOOKCANCELABORTIGNORERETRYCONTINUETRYAGAINMINMAXHIDEScreenRelativeWindowClientPixelCaretIntegerFloatNumberTimeDateDigitXdigitAlnumAlphaUpperLowerUTF-8UTF-8-RAWUTF-16UTF-16-RAWCPFuncRemoveClipboardFormatListeneruser32AddClipboardFormatListenerTrayNo tray memstatus AHK_PlayMe modeclose AHK_PlayMeRegClassAutoHotkey2Shell_TrayWndCreateWindoweditConsolasLucida Console*ErrorLevel <>=/|^,:*&~!()[]{}+-?."'\;`IFWHILEClass>AUTOHOTKEY SCRIPT<Could not extract script from EXE./*#CommentFlag*/and<>=/|^,:<>=/|^,:.+-*&!?~::?*- Continuation section too long.JoinLTrimRTrimMissing ")"Functions cannot contain functions.Missing "{"Not a valid method, class or property definition.GetSetNot a valid property getter/setter.Hotkeys/hotstrin
Source: SecuriteInfo.com.FileRepMalware.14270.3068.exe Binary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowDwmGetWindowAttributedwmapi.dllahk_idpidgroup%s%uProgram ManagerProgmanWorkerWError text not found (please report)Q\E{0,DEFINEUTF16)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument is compiled in 8 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400D4120 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00000001400D4120
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400693D0 GetComputerNameW,GetUserNameW, 0_2_00000001400693D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_00000001400CF0C4 HeapCreate,GetVersion,HeapSetInformation, 0_2_00000001400CF0C4
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.0.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.0.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.0.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.0.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.0.dr Binary or memory string: MsMpEng.exe
OS version to string mapping found (often used in BOTs)
Source: SecuriteInfo.com.FileRepMalware.14270.3068.exe Binary or memory string: WIN_XP
Source: SecuriteInfo.com.FileRepMalware.14270.3068.exe Binary or memory string: ?*A Goto/Gosub must not jump into a block that doesn't enclose it.ddddddd%02d%dmsSlowLogoffSingle\AutoHotkey.exeWIN32_NTWIN_8.1WIN_8WIN_7WIN_VISTAWIN_XPWIN_2003%04hX0x%Ix*pPIntStrPtrShortInt64DoubleAStrWStrgdi32comctl32kernel32W-3-4CDecl-2This DllCall requires a prior VarSetCapacity.Pos%sLen%sPos%dLen%dLenMarkpcre_calloutCompile error %d at offset %d: %hs-+0 #diouxXeEfgGaAcCpULlTt%0.*fFfSelectVisCenterUniDescLogicalNoSortAutoHdrFirstBoldExpandGDI+JoyJoyXJoyYJoyZJoyRJoyUJoyVJoyPOVJoyNameJoyButtonsJoyAxesJoyInfop6
Source: SecuriteInfo.com.FileRepMalware.14270.3068.exe Binary or memory string: WIN_VISTA
Source: SecuriteInfo.com.FileRepMalware.14270.3068.exe Binary or memory string: WIN_7
Source: SecuriteInfo.com.FileRepMalware.14270.3068.exe Binary or memory string: WIN_8
Source: SecuriteInfo.com.FileRepMalware.14270.3068.exe Binary or memory string: WIN_8.1
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014001E980 Shell_NotifyIconW,RemoveClipboardFormatListener,ChangeClipboardChain,DestroyWindow,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,mciSendStringW,mciSendStringW,DeleteCriticalSection,OleUninitialize,free,free,free, 0_2_000000014001E980
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_000000014001F410 AddClipboardFormatListener,PostMessageW,SetClipboardViewer,RemoveClipboardFormatListener,ChangeClipboardChain, 0_2_000000014001F410
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.14270.3068.exe Code function: 0_2_0000000140073910 RemoveClipboardFormatListener,ChangeClipboardChain, 0_2_0000000140073910
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417368 Sample: SecuriteInfo.com.FileRepMal... Startdate: 29/03/2024 Architecture: WINDOWS Score: 56 10 cdn.discordapp.com 2->10 14 Multi AV Scanner detection for submitted file 2->14 6 SecuriteInfo.com.FileRepMalware.14270.3068.exe 17 2->6         started        signatures3 process4 dnsIp5 12 cdn.discordapp.com 162.159.133.233, 443, 49699, 49700 CLOUDFLARENETUS United States 6->12 16 Sample or dropped binary is a compiled AutoHotkey binary 6->16 18 Contains functionality to detect sleep reduction / modifications 6->18 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.159.133.233
 cdn.discordapp.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
cdn.discordapp.com 162.159.133.233 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://cdn.discordapp.com/attachments/946434985617944649/1187449788539613234/AnyDesk.exe?ex=6596edcb&is=658478cb&hm=1ccb90ac0e74e5fc5ff101f4716703308a02fb42540256a74e81a4d808fbe4ef& false
    		high
    https://cdn.discordapp.com/attachments/946434985617944649/1187447469185974412/2img.png?ex=6596eba2&is=658476a2&hm=ceac553c8fa20a5a29d3a30fafcd5022ef44d33396c849d1a84b29a8507c87e5& false
      		high
      https://cdn.discordapp.com/attachments/946434985617944649/1187447469743804447/1img.png?ex=6596eba2&is=658476a2&hm=0a3291a0428a9a3a412cccb212e697c45efde312d3ae0a17818b7bba37eb978d& false
        		high
        https://cdn.discordapp.com/attachments/946434985617944649/1187447469492150292/3img.png?ex=6596eba2&is=658476a2&hm=e54785c353dcbe635c35016ed6a0babbb34588ac67d1176df058c308ee2bef44& false
          		high