Windows Analysis Report
SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe

Overview

General Information

Sample name: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
Analysis ID: 1427160
MD5: a10aff228a835255b89419bebf24bdb2
SHA1: 959e432c06de820e4778461befb789bde41ebba8
SHA256: c673e00e0e5c771f2d146c07d656ba6c3ea2112146e5b382ba7391e513eb8160
Tags: exe
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe ReversingLabs: Detection: 18%
Machine Learning detection for sample
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File created: C:\Program Files (x86)\MP3SoundRecorder\readme.txt Jump to behavior
Source: Binary string: d:\ShareWare\MP3 Sound Recorder\MixerAPP\PRMixer\Release\PRMixer.pdb source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1634842047.00000000017EC000.00000004.00000020.00020000.00000000.sdmp, MP3SoundRecorder.exe, 00000001.00000002.2867057178.00000000008CA000.00000002.00000001.01000000.00000006.sdmp, prmixer.dll.0.dr
Source: Binary string: d:\ShareWare\MP3 Sound Recorder\MixerAPP\PRMixer\Release\PRMixer.pdb source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1634842047.00000000017EC000.00000004.00000020.00020000.00000000.sdmp, MP3SoundRecorder.exe, 00000001.00000002.2867057178.00000000008CA000.00000002.00000001.01000000.00000006.sdmp, prmixer.dll.0.dr
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FA449B GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00FA449B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FAF47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00FAF47F
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FA3833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00FA3833
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FA3B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00FA3B56
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635697888.00000000017DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635585082.000000000181E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635585082.000000000180E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635431335.000000000181E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635845934.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635431335.000000000180E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635664567.000000000181E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635516591.000000000180E000.00000004.00000020.00020000.00000000.sdmp, readme.txt.0.dr String found in binary or memory: http://bbs.xdowns.com
Source: MP3SoundRecorder.exe, 00000001.00000003.1641085834.00000000023B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.cooolsoft.com
Source: MP3SoundRecorder.exe, 00000001.00000003.1641085834.00000000023B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.cooolsoft.comopenU
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635697888.00000000017DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635585082.000000000181E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635585082.000000000180E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635431335.000000000181E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635845934.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635431335.000000000180E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635664567.000000000181E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1635516591.000000000180E000.00000004.00000020.00020000.00000000.sdmp, readme.txt.0.dr String found in binary or memory: http://www.xdowns.com
Source: MP3SoundRecorder.exe, 00000001.00000003.1641085834.00000000023B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.qwerks.com/order/buynow.asp?ProductID=2689
Source: MP3SoundRecorder.exe, 00000001.00000003.1641085834.00000000023B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.qwerks.com/order/buynow.asp?ProductID=2689openU
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FA1097 GetParent,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,PostMessageW,PostMessageW, 0_2_00FA1097
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FCCB26 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_00FCCB26
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Code function: 1_2_008C2A85 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 1_2_008C2A85
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Code function: 1_2_0229FA33 GetKeyState,GetKeyState,GetKeyState,GetKeyState, 1_2_0229FA33
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Code function: 1_2_022A24FF GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 1_2_022A24FF

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: This is a third-party compiled AutoIt script. 0_2_00F43B4C
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_fe14f271-e
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer" memstr_adb1a7c2-9
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F43633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow, 0_2_00F43633
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F41290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient, 0_2_00F41290
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F41287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,745EC8D0,NtdllDialogWndProc_W, 0_2_00F41287
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FCC216 PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W, 0_2_00FCC216
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FCD4A8 GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W, 0_2_00FCD4A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FCD422 NtdllDialogWndProc_W, 0_2_00FCD422
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FCC5E7 SendMessageW,NtdllDialogWndProc_W, 0_2_00FCC5E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FCC502 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W, 0_2_00FCC502
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F416DE GetParent,NtdllDialogWndProc_W, 0_2_00F416DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F416B5 NtdllDialogWndProc_W, 0_2_00F416B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F4167D NtdllDialogWndProc_W, 0_2_00F4167D
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FCC668 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W, 0_2_00FCC668
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FCD7F6 NtdllDialogWndProc_W, 0_2_00FCD7F6
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FCC8F9 NtdllDialogWndProc_W, 0_2_00FCC8F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FCC8CA NtdllDialogWndProc_W, 0_2_00FCC8CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F4189B NtdllDialogWndProc_W, 0_2_00F4189B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FCC9A8 ClientToScreen,NtdllDialogWndProc_W, 0_2_00FCC9A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FCC973 NtdllDialogWndProc_W, 0_2_00FCC973
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FCC928 NtdllDialogWndProc_W, 0_2_00FCC928
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FCCAE6 GetWindowLongW,NtdllDialogWndProc_W, 0_2_00FCCAE6
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FCCB26 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_00FCCB26
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FCBFF6 ReleaseCapture,ChrCmpIA,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W, 0_2_00FCBFF6
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FCBF9A NtdllDialogWndProc_W, 0_2_00FCBF9A
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FAA279: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle, 0_2_00FAA279
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F98638 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74775590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle, 0_2_00F98638
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FA5264 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_00FA5264
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F4E060 0_2_00F4E060
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F6DAF5 0_2_00F6DAF5
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F4FE40 0_2_00F4FE40
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F570FE 0_2_00F570FE
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F53190 0_2_00F53190
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F41287 0_2_00F41287
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F6F359 0_2_00F6F359
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F62345 0_2_00F62345
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F63307 0_2_00F63307
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F76452 0_2_00F76452
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F725AE 0_2_00F725AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F55680 0_2_00F55680
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F61604 0_2_00F61604
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F6277A 0_2_00F6277A
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F558C0 0_2_00F558C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F56841 0_2_00F56841
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F67813 0_2_00F67813
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F4E800 0_2_00F4E800
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F769C4 0_2_00F769C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F58968 0_2_00F58968
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FA8932 0_2_00FA8932
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F9E928 0_2_00F9E928
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F7890F 0_2_00F7890F
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F61AF8 0_2_00F61AF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F6CCA1 0_2_00F6CCA1
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FC7E0D 0_2_00FC7E0D
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F76F36 0_2_00F76F36
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F6BF26 0_2_00F6BF26
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F61F10 0_2_00F61F10
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Code function: 1_2_008C39BA 1_2_008C39BA
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Code function: 1_2_008BAC07 1_2_008BAC07
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Code function: 1_2_008B6420 1_2_008B6420
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Code function: 1_2_022922D9 1_2_022922D9
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Code function: 1_2_022A1890 1_2_022A1890
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Code function: 1_2_0229A59B 1_2_0229A59B
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Code function: 1_2_0229D5EE 1_2_0229D5EE
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: String function: 00F47F41 appears 33 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: String function: 00F68A80 appears 40 times
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Code function: String function: 008B6C3C appears 40 times
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Code function: String function: 008B73B0 appears 46 times
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Code function: String function: 02295C6C appears 44 times
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Code function: String function: 008B1C50 appears 48 times
PE file contains executable resources (Code or Archives)
Source: MP3SoundRecorder.exe.0.dr Static PE information: Resource name: RT_BITMAP type: COM executable for DOS
Source: aut404E.tmp.0.dr Static PE information: Resource name: RT_BITMAP type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1636259761.000000000181C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRecord.DLLX vs SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1636338074.000000000181C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRecord.DLLX vs SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1634977408.000000000180E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePRMixer.dllJ vs SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1634842047.00000000017DF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePRMixer.dllJ vs SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1636138801.000000000181C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRecord.DLLX vs SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1636138801.00000000017FC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRecord.DLLX vs SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1634842047.00000000017EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePRMixer.dllJ vs SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1634924208.00000000017FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePRMixer.dllJ vs SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
Uses 32bit PE files
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: MP3SoundRecorder.exe.0.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: aut404E.tmp.0.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MP3SoundRecorder.exe.0.dr Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: aut404E.tmp.0.dr Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Static PE information: Section: .rsrc ZLIB complexity 0.9902734766016016
Source: MP3SoundRecorder.exe.0.dr Static PE information: Section: CODE ZLIB complexity 0.9996700802364865
Source: MP3SoundRecorder.exe.0.dr Static PE information: Section: DATA ZLIB complexity 0.9964192708333334
Source: aut404E.tmp.0.dr Static PE information: Section: CODE ZLIB complexity 0.9996700802364865
Source: aut404E.tmp.0.dr Static PE information: Section: DATA ZLIB complexity 0.9964192708333334
Source: classification engine Classification label: mal56.evad.winEXE@3/28@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FAA0F4 GetLastError,FormatMessageW, 0_2_00FAA0F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F984F3 AdjustTokenPrivileges,CloseHandle, 0_2_00F984F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F98AA3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_00F98AA3
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FA3C99 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_00FA3C99
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F44FE9 FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_00F44FE9
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File created: C:\Program Files (x86)\MP3SoundRecorder Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File created: C:\Users\user\AppData\Local\Temp\aut3EF2.tmp Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe File read: C:\Program Files (x86)\MP3SoundRecorder\set.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe ReversingLabs: Detection: 18%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Process created: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe "C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Process created: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe "C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Section loaded: mp3dec2.dll Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Section loaded: mp3dec2.dll Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Section loaded: prmixer.dll Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Section loaded: record.dll Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File written: C:\Program Files (x86)\MP3SoundRecorder\set.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Static file information: File size 1375744 > 1048576
Source: Binary string: d:\ShareWare\MP3 Sound Recorder\MixerAPP\PRMixer\Release\PRMixer.pdb source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1634842047.00000000017EC000.00000004.00000020.00020000.00000000.sdmp, MP3SoundRecorder.exe, 00000001.00000002.2867057178.00000000008CA000.00000002.00000001.01000000.00000006.sdmp, prmixer.dll.0.dr
Source: Binary string: d:\ShareWare\MP3 Sound Recorder\MixerAPP\PRMixer\Release\PRMixer.pdb source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000003.1634842047.00000000017EC000.00000004.00000020.00020000.00000000.sdmp, MP3SoundRecorder.exe, 00000001.00000002.2867057178.00000000008CA000.00000002.00000001.01000000.00000006.sdmp, prmixer.dll.0.dr
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_01111B00 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, 0_2_01111B00
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .aspack
PE file contains an invalid checksum
Source: mp3dec2.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x10f0e
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Static PE information: real checksum: 0x0 should be: 0x152e6b
Source: prmixer.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x368c9
Source: record.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x2d618
Source: MP3SoundRecorder.exe.0.dr Static PE information: real checksum: 0x0 should be: 0x57c68
Source: lame_enc.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x22e2b
Source: mp3decdll.dll.0.dr Static PE information: real checksum: 0x30ce4 should be: 0x30c6e
Source: aut404E.tmp.0.dr Static PE information: real checksum: 0x0 should be: 0x57c68
Source: aut3F51.tmp.0.dr Static PE information: real checksum: 0x0 should be: 0x22e2b
PE file contains sections with non-standard names
Source: lame_enc.dll.0.dr Static PE information: section name: UPX2
Source: MP3SoundRecorder.exe.0.dr Static PE information: section name: .aspack
Source: MP3SoundRecorder.exe.0.dr Static PE information: section name: .adata
Source: aut3F51.tmp.0.dr Static PE information: section name: UPX2
Source: aut404E.tmp.0.dr Static PE information: section name: .aspack
Source: aut404E.tmp.0.dr Static PE information: section name: .adata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FA31E7 push esi; ret 0_2_00FA31EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F543CB push edi; ret 0_2_00F543CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F543B7 push edi; ret 0_2_00F543B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FA8538 push FFFFFF8Bh; iretd 0_2_00FA853A
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F6E88F push edi; ret 0_2_00F6E891
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F6E9A8 push esi; ret 0_2_00F6E9AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F68AC5 push ecx; ret 0_2_00F68AD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F87AA9 push es; retf 0_2_00F87AAA
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F6EB83 push esi; ret 0_2_00F6EB85
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F6EC6C push edi; ret 0_2_00F6EC6E
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Code function: 1_2_008B73EB push ecx; ret 1_2_008B73FB
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Code function: 1_2_008B6C3C push eax; ret 1_2_008B6C5A
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Code function: 1_2_008B6530 push eax; ret 1_2_008B6544
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Code function: 1_2_008B6530 push eax; ret 1_2_008B656C
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Code function: 1_2_022963E0 push eax; ret 1_2_0229640E
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Code function: 1_2_02295C6C push eax; ret 1_2_02295C8A
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Code function: 1_2_10003520 push eax; ret 1_2_1000354E
Source: mp3decdll.dll.0.dr Static PE information: section name: .text entropy: 6.804610237839352
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File created: C:\Program Files (x86)\MP3SoundRecorder\mp3decdll.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File created: C:\Program Files (x86)\MP3SoundRecorder\lame_enc.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File created: C:\Program Files (x86)\MP3SoundRecorder\mp3dec2.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File created: C:\Program Files (x86)\MP3SoundRecorder\record.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File created: C:\Program Files (x86)\MP3SoundRecorder\prmixer.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File created: C:\Users\user\AppData\Local\Temp\aut3F51.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File created: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File created: C:\Users\user\AppData\Local\Temp\aut404E.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File created: C:\Program Files (x86)\MP3SoundRecorder\readme.txt Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F44A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00F44A35
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Code function: 1_2_008B4764 IsIconic,GetWindowPlacement,GetWindowRect, 1_2_008B4764
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Code function: 1_2_022948CD IsIconic,GetWindowPlacement,GetWindowRect, 1_2_022948CD
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F63307 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00F63307
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Dropped PE file which has not been started: C:\Program Files (x86)\MP3SoundRecorder\mp3decdll.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Dropped PE file which has not been started: C:\Program Files (x86)\MP3SoundRecorder\lame_enc.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\aut3F51.tmp Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe API coverage: 8.0 %
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe API coverage: 2.7 %
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FA449B GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00FA449B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FAF47F FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00FAF47F
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FA3833 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00FA3833
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FA3B56 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00FA3B56
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F44AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00F44AFE
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F43B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00F43B4C
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F75BFC RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer, 0_2_00F75BFC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_01111B00 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, 0_2_01111B00
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F981D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00F981D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F6A2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00F6A2D5
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F6A2A4 SetUnhandledExceptionFilter, 0_2_00F6A2A4
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Code function: 1_2_008BBEF6 SetUnhandledExceptionFilter, 1_2_008BBEF6
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Code function: 1_2_008BBF0A SetUnhandledExceptionFilter, 1_2_008BBF0A
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Code function: 1_2_0229BC8B SetUnhandledExceptionFilter, 1_2_0229BC8B
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Code function: 1_2_0229BC9D SetUnhandledExceptionFilter, 1_2_0229BC9D
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F98A73 LogonUserW, 0_2_00F98A73
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F43B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00F43B4C
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FA15F8 SendInput,keybd_event, 0_2_00FA15F8
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FA4CFA mouse_event, 0_2_00FA4CFA
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F981D4 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00F981D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00FA4A08 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_00FA4A08
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F687AB cpuid 0_2_00F687AB
Contains functionality to query locales information (e.g. system language)
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA, 1_2_008C764C
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 1_2_008B3240
Source: C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe Code function: GetLocaleInfoA, 1_2_008BECF2
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F75007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00F75007
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F8215F GetUserNameW, 0_2_00F8215F
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F73ED6 _cvtdate,_cvtdate,_cvtdate,_cvtdate,__invoke_watson,__lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_00F73ED6
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Code function: 0_2_00F44AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00F44AFE
OS version to string mapping found (often used in BOTs)
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Binary or memory string: WIN_81
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Binary or memory string: WIN_XP
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Binary or memory string: WIN_XPe
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Binary or memory string: WIN_VISTA
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Binary or memory string: WIN_7
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe Binary or memory string: WIN_8
Source: SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe, 00000000.00000002.1644925783.0000000000FF4000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1427160 Sample: SecuriteInfo.com.W32.Possib... Startdate: 17/04/2024 Architecture: WINDOWS Score: 56 20 Multi AV Scanner detection for submitted file 2->20 22 Binary is likely a compiled AutoIt script file 2->22 24 Machine Learning detection for sample 2->24 6 SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe 29 2->6         started        process3 file4 12 C:\Users\user\AppData\Local\...\aut404E.tmp, PE32 6->12 dropped 14 C:\Users\user\AppData\Local\...\aut3F51.tmp, PE32 6->14 dropped 16 C:\Program Files (x86)\...\record.dll, PE32 6->16 dropped 18 5 other files (none is malicious) 6->18 dropped 26 Binary is likely a compiled AutoIt script file 6->26 10 MP3SoundRecorder.exe 6->10         started        signatures5 process6
No contacted IP infos