Windows Analysis Report
Kofc4rRZdp.exe

Overview

General Information

Sample name: Kofc4rRZdp.exe
renamed because original name is a hash value
Original sample name: 243149fc79e420c9dfe7f0affa166238.exe
Analysis ID: 1429029
MD5: 243149fc79e420c9dfe7f0affa166238
SHA1: 8289040f7e4043f6b6320684a63f2019714aaab6
SHA256: fee7bb0a897a66e0ff928aa8abc71ab11a59d960d88e10c1a05f60495c08522a
Tags: 32exetrojan
Infos:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Machine Learning detection for dropped file
Machine Learning detection for sample
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
File is packed with WinRar
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\42ZqUg._ Avira: detection malicious, Label: HEUR/AGEN.1300756
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\42ZqUg._ Virustotal: Detection: 25% Perma Link
Multi AV Scanner detection for submitted file
Source: Kofc4rRZdp.exe Virustotal: Detection: 38% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\42ZqUg._ Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Kofc4rRZdp.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Kofc4rRZdp.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Kofc4rRZdp.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: Kofc4rRZdp.exe
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_00714D8A __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_00714D8A
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_00728590 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW, 0_2_00728590
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_007386E8 FindFirstFileExA, 0_2_007386E8
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04A769C0 NtCreateThreadEx, 1_2_04A769C0
Detected potential crypto function
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_0071720F 0_2_0071720F
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_0071E3FB 0_2_0071E3FB
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_0071FBD3 0_2_0071FBD3
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_0071837D 0_2_0071837D
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_0072E430 0_2_0072E430
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_00732578 0_2_00732578
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_00712606 0_2_00712606
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_007327A7 0_2_007327A7
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_00720870 0_2_00720870
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_00718934 0_2_00718934
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_0073AA50 0_2_0073AA50
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_00718D89 0_2_00718D89
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_0073EE32 0_2_0073EE32
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_0073AEFE 0_2_0073AEFE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04951000 1_2_04951000
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_049549D0 1_2_049549D0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04952FB0 1_2_04952FB0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_049551F0 1_2_049551F0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04952AC4 1_2_04952AC4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04953B80 1_2_04953B80
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04A76CC0 1_2_04A76CC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04A769C0 1_2_04A769C0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04A78910 1_2_04A78910
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04A76140 1_2_04A76140
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04A79040 1_2_04A79040
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04A78DB0 1_2_04A78DB0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04A79490 1_2_04A79490
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04A75AE0 1_2_04A75AE0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04A766E0 1_2_04A766E0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04A78BC0 1_2_04A78BC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_04A76430 1_2_04A76430
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: String function: 0072C468 appears 55 times
Sample file is different than original file name gathered from version info
Source: Kofc4rRZdp.exe, 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamelgpllibs.dll8 vs Kofc4rRZdp.exe
Source: Kofc4rRZdp.exe, 00000000.00000002.2077529522.0000000002D84000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameREGSVR32.EXE.MUIj% vs Kofc4rRZdp.exe
Source: Kofc4rRZdp.exe, 00000000.00000003.2076923027.0000000002D84000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameREGSVR32.EXE.MUIj% vs Kofc4rRZdp.exe
Source: Kofc4rRZdp.exe, 00000000.00000003.2076820826.0000000002D84000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameREGSVR32.EXE.MUIj% vs Kofc4rRZdp.exe
Source: Kofc4rRZdp.exe, 00000000.00000003.2077046352.0000000002D84000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameREGSVR32.EXE.MUIj% vs Kofc4rRZdp.exe
Uses 32bit PE files
Source: Kofc4rRZdp.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal72.winEXE@3/1@0/0
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_00712E6F GetLastError,FormatMessageW,_wcslen,LocalFree, 0_2_00712E6F
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_00725C5C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 0_2_00725C5C
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_3806687 Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Command line argument: ht 0_2_0072B2FE
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Command line argument: sfxname 0_2_0072B2FE
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Command line argument: sfxstime 0_2_0072B2FE
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Command line argument: STARTDLG 0_2_0072B2FE
Source: Kofc4rRZdp.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Kofc4rRZdp.exe Virustotal: Detection: 38%
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe File read: C:\Users\user\Desktop\Kofc4rRZdp.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Kofc4rRZdp.exe "C:\Users\user\Desktop\Kofc4rRZdp.exe"
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /u /s .\42ZQUg._
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /u /s .\42ZQUg._ Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: Kofc4rRZdp.exe Static file information: File size 3049000 > 1048576
Source: Kofc4rRZdp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Kofc4rRZdp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Kofc4rRZdp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Kofc4rRZdp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Kofc4rRZdp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Kofc4rRZdp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Kofc4rRZdp.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Kofc4rRZdp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: Kofc4rRZdp.exe
Source: Kofc4rRZdp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Kofc4rRZdp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Kofc4rRZdp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Kofc4rRZdp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Kofc4rRZdp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
File is packed with WinRar
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_3806687 Jump to behavior
PE file contains sections with non-standard names
Source: Kofc4rRZdp.exe Static PE information: section name: .didat
Source: 42ZqUg._.0.dr Static PE information: section name: .qdata
Source: 42ZqUg._.0.dr Static PE information: section name: 510OCR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_0072C403 push ecx; ret 0_2_0072C416
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_0072D4B0 push ecx; ret 0_2_0072D4C3
Drops PE files
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe File created: C:\Users\user\AppData\Local\Temp\42ZqUg._ Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe File created: C:\Users\user\AppData\Local\Temp\42ZqUg._ Jump to dropped file
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\42ZqUg._ Jump to dropped file
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_00714D8A __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_00714D8A
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_00728590 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW, 0_2_00728590
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_007386E8 FindFirstFileExA, 0_2_007386E8
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_0072BC1D VirtualQuery,GetSystemInfo, 0_2_0072BC1D
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_0072D242 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0072D242
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_007353C2 mov eax, dword ptr fs:[00000030h] 0_2_007353C2
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_007393D0 GetProcessHeap, 0_2_007393D0
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_0072D242 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0072D242
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_007312B4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_007312B4
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_0072D3E5 SetUnhandledExceptionFilter, 0_2_0072D3E5
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_0072C69D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0072C69D
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /u /s .\42ZQUg._ Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_0072D05E cpuid 0_2_0072D05E
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: GetLocaleInfoW,GetNumberFormatW, 0_2_00726CF5
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_0072B2FE GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle, 0_2_0072B2FE
Source: C:\Users\user\Desktop\Kofc4rRZdp.exe Code function: 0_2_00715032 GetVersionExW, 0_2_00715032
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1429029 Sample: Kofc4rRZdp.exe Startdate: 20/04/2024 Architecture: WINDOWS Score: 72 13 Antivirus detection for dropped file 2->13 15 Multi AV Scanner detection for dropped file 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 2 other signatures 2->19 6 Kofc4rRZdp.exe 8 2->6         started        process3 file4 11 C:\Users\user\AppData\Local\Temp\42ZqUg._, PE32 6->11 dropped 9 regsvr32.exe 6->9         started        process5
No contacted IP infos