Source: C:\Users\user\AppData\Local\Temp\YYF2G.a |
Joe Sandbox ML: detected |
Source: file.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: file.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
Source: |
Binary string: i:\IrQiF\cqyBw\whQMM.pdb source: YYF2G.a |
Source: |
Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: file.exe |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F64D8A __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, |
0_2_00F64D8A |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F78590 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW, |
0_2_00F78590 |
Source: YYF2G.a.0.dr |
Static PE information: section name: H|s1ii4Y |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 1_2_051DBDC0 NtCreateThreadEx, |
1_2_051DBDC0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F6720F |
0_2_00F6720F |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F6E3FB |
0_2_00F6E3FB |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F6FBD3 |
0_2_00F6FBD3 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F6837D |
0_2_00F6837D |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F7E430 |
0_2_00F7E430 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F82578 |
0_2_00F82578 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F62606 |
0_2_00F62606 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F827A7 |
0_2_00F827A7 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F70870 |
0_2_00F70870 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F68934 |
0_2_00F68934 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F8AA50 |
0_2_00F8AA50 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F68D89 |
0_2_00F68D89 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F8AEFE |
0_2_00F8AEFE |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F8EE32 |
0_2_00F8EE32 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 1_2_050B1634 |
1_2_050B1634 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 1_2_050B310C |
1_2_050B310C |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 1_2_050B1000 |
1_2_050B1000 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 1_2_050B5620 |
1_2_050B5620 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 1_2_050B2078 |
1_2_050B2078 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 1_2_050B2D58 |
1_2_050B2D58 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 1_2_050B5258 |
1_2_050B5258 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 1_2_051D4300 |
1_2_051D4300 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 1_2_051DC150 |
1_2_051DC150 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 1_2_051DB370 |
1_2_051DB370 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 1_2_051DCF70 |
1_2_051DCF70 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 1_2_051DB79D |
1_2_051DB79D |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 1_2_051D1290 |
1_2_051D1290 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 1_2_051D39C0 |
1_2_051D39C0 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 1_2_051DBDC0 |
1_2_051DBDC0 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 1_2_051DAD40 |
1_2_051DAD40 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 1_2_051D3C60 |
1_2_051D3C60 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 1_2_051DCA80 |
1_2_051DCA80 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 1_2_051D36C0 |
1_2_051D36C0 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 1_2_051DB0E0 |
1_2_051DB0E0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: String function: 00F7C468 appears 54 times |
|
Source: file.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: YYF2G.a.0.dr |
Static PE information: Section: H|s1ii4Y ZLIB complexity 0.9982600954403035 |
Source: classification engine |
Classification label: mal52.winEXE@3/1@0/0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F62E6F GetLastError,FormatMessageW,_wcslen,LocalFree, |
0_2_00F62E6F |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F75C5C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, |
0_2_00F75C5C |
Source: C:\Users\user\Desktop\file.exe |
File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_5752750 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Command line argument: sfxname |
0_2_00F7B2FE |
Source: C:\Users\user\Desktop\file.exe |
Command line argument: sfxstime |
0_2_00F7B2FE |
Source: C:\Users\user\Desktop\file.exe |
Command line argument: STARTDLG |
0_2_00F7B2FE |
Source: file.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\file.exe |
File read: C:\Windows\win.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File read: C:\Users\user\Desktop\file.exe |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" |
|
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" -S .\YYF2G.A |
|
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" -S .\YYF2G.A |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: dxgidebug.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: sfc_os.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: dwmapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: riched20.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: usp10.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: msls31.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: windowscodecs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: pcacli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: aclayers.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: sfc_os.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 |
Jump to behavior |
Source: file.exe |
Static file information: File size 2237084 > 1048576 |
Source: file.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: file.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: file.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: file.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: file.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: file.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: file.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
Source: file.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: i:\IrQiF\cqyBw\whQMM.pdb source: YYF2G.a |
Source: |
Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: file.exe |
Source: file.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: file.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: file.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: file.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: file.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Users\user\Desktop\file.exe |
File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_5752750 |
Jump to behavior |
Source: file.exe |
Static PE information: section name: .didat |
Source: YYF2G.a.0.dr |
Static PE information: section name: PACK |
Source: YYF2G.a.0.dr |
Static PE information: section name: H|s1ii4Y |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F7D4B0 push ecx; ret |
0_2_00F7D4C3 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F7C403 push ecx; ret |
0_2_00F7C416 |
Source: C:\Users\user\Desktop\file.exe |
File created: C:\Users\user\AppData\Local\Temp\YYF2G.a |
Jump to dropped file |
Source: C:\Users\user\Desktop\file.exe |
File created: C:\Users\user\AppData\Local\Temp\YYF2G.a |
Jump to dropped file |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\YYF2G.a |
Jump to dropped file |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F64D8A __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, |
0_2_00F64D8A |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F78590 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW, |
0_2_00F78590 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F7BC1D VirtualQuery,GetSystemInfo, |
0_2_00F7BC1D |
Source: C:\Users\user\Desktop\file.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F812B4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00F812B4 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F853C2 mov eax, dword ptr fs:[00000030h] |
0_2_00F853C2 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F893D0 GetProcessHeap, |
0_2_00F893D0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F812B4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00F812B4 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F7D242 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00F7D242 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F7D3E5 SetUnhandledExceptionFilter, |
0_2_00F7D3E5 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F7C69D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00F7C69D |
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" -S .\YYF2G.A |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F7D05E cpuid |
0_2_00F7D05E |
Source: C:\Users\user\Desktop\file.exe |
Code function: GetLocaleInfoW,GetNumberFormatW, |
0_2_00F76CF5 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F7B2FE GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle, |
0_2_00F7B2FE |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F65032 GetVersionExW, |
0_2_00F65032 |