Windows Analysis Report
07lwzQoOuP.exe

Overview

General Information

Sample name: 07lwzQoOuP.exe
(renamed file extension from bin to exe, renamed because original name is a hash value)
Original sample name: 5c06818c78b238c60419fae8f263c931f1982ae311a365bc824e0013229ade7b.bin
Analysis ID: 1431554
MD5: 7ec9e3fc3f9f3cce7c965e09152726a4
SHA1: f03293a7f7e9a1eb072e689d48c88b5f59858029
SHA256: 5c06818c78b238c60419fae8f263c931f1982ae311a365bc824e0013229ade7b
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
.NET source code contains very large strings
Machine Learning detection for sample
Reads the Security eventlog
Reads the System eventlog
Allocates memory with a write watch (potentially for evading sandboxes)
Enables debug privileges
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Uses 32bit PE files

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 07lwzQoOuP.exe Virustotal: Detection: 7% Perma Link
Machine Learning detection for sample
Source: 07lwzQoOuP.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 07lwzQoOuP.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 07lwzQoOuP.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: 07lwzQoOuP.exe, 00000000.00000002.2870706118.00000000032A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Spam, unwanted Advertisements and Ransom Demands
barindex
Reads the Security eventlog
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell Jump to behavior
Reads the System eventlog
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior

System Summary
barindex
.NET source code contains very large strings
Source: 07lwzQoOuP.exe, PS2EXE.cs Long String: Length: 12988
Sample file is different than original file name gathered from version info
Source: 07lwzQoOuP.exe, 00000000.00000002.2870706118.00000000032A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs 07lwzQoOuP.exe
Source: 07lwzQoOuP.exe, 00000000.00000002.2870706118.0000000003796000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename7.5RabbitFix_V9.exe4 vs 07lwzQoOuP.exe
Source: 07lwzQoOuP.exe, 00000000.00000002.2870706118.0000000003796000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ,\\StringFileInfo\\000004B0\\OriginalFilename vs 07lwzQoOuP.exe
Source: 07lwzQoOuP.exe, 00000000.00000002.2870706118.000000000331C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs 07lwzQoOuP.exe
Source: 07lwzQoOuP.exe, 00000000.00000000.1619818988.0000000000F92000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename7.5RabbitFix_V9.exe4 vs 07lwzQoOuP.exe
Source: 07lwzQoOuP.exe Binary or memory string: OriginalFilename7.5RabbitFix_V9.exe4 vs 07lwzQoOuP.exe
Uses 32bit PE files
Source: 07lwzQoOuP.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 07lwzQoOuP.exe, PS2EXE.cs Base64 encoded string: 'IyNSYWJiaXRNUSBCYXNlIEZpeCMjDQoNCldyaXRlLUhvc3QgJycNCldyaXRlLUhvc3QgJyhjKTIwMTkgTGVuZWxTMicNCldyaXRlLUhvc3QgJycNCg0KIyNTZXQgVGltZW91dCBWYWx1ZQ0KDQpbaW50XSRUaW1lcj1SZWFkLUhvc3QgIkVudGVyIHRpbWVvdXQgdmFsdWUgaW4gc2Vjb25kcywgcHJlc3MgPEVOVEVSPiBmb3IgZGVmYXVsdCINCmlmKCRUaW1lciAtZXEgJycpDQp7DQogICAgJFRpbWVyPTMwDQp9DQoNCldyaXRlLUhvc3QgJycNCg0KIyM3LjYgQmFja3BvcnQgQ2xlYW51cCBSTVEgc3R1ZmYNCg0KdHJ5DQp7DQogICAgICAgIFdyaXRlLUhvc3QgJ01ha2luZyBzdXJlIFJNUSBiYWNrZ3JvdW5kIHByb2Nlc3NlcyBhcmUgc3RvcHBlZC4uJyAtZm9yZWdyb3VuZGNvbG9yIFllbGxvdyAgDQogICAgICAgIHRhc2traWxsIC9pbSBlcmxzcnYuZXhlIC9mIC90IDI+JjE+JG51bGwNCiAgICAgICAgdGFza2tpbGwgL2ltIGVwbWQuZXhlIC9mIC90IDI+JjE+JG51bGwNCiAgICAgICAgdGFza2tpbGwgL2ltIGVybC5leGUgL2YgL3QgMj4mMT4kbnVsbA0KICAgICAgICB0YXNra2lsbCAvaW0gbmdpbnguZXhlIC8gZiAvdCAyPiYxPiRudWxsDQogICAgICAgIFdyaXRlLUhvc3QgJ0RvbmUuJyAtRm9yZWdyb3VuZENvbG9yIEdyZWVuDQogICAgICAgIFdyaXRlLUhvc3QgJ0NsZWFuaW5nIHVwIHByZXZpb3VzIGluc3RhbGxhdGlvbiBvZiBSTVEuLicgLUZvcmVncm91bmRDb2xvciBZZWxsb3cgIA0KICAgICAgICBXcml0ZS1Ib3N0ICcnDQogICAgICAgIFJlbW92ZS1JdGVtIC1SZWN1cnNlIC1Gb3JjZSAkZW52OnByb2dyYW1kYXRhXGxubFxSYWJiaXRNUQ0KfQ0KY2F0Y2gNCnsNCiAgICBXcml0ZS1Ib3N0ICJVbmFibGUgdG8gcmVtb3ZlIGV4aXN0aW5nIFJNUSBkaXJlY3RvcnkuIiAtRm9yZWdyb3VuZENvbG9yIFJlZA0KfQ0KDQojI0NyZWF0ZSBuZXcgZGlyZWN0b3J5IyMNCg0KdHJ5DQp7DQogICAgTmV3LUl0ZW0gLVBhdGggIiRlbnY6cHJvZ3JhbWRhdGFcbG5sXFJhYmJpdE1RIiAtSXRlbVR5cGUgImRpcmVjdG9yeSIgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWUgIC1FcnJvclZhcmlhYmxlIGRpcmVjdG9yeSANCn0NCg0KY2F0Y2gNCnsNCiAgICBXcml0ZS1Ib3N0ICJVbmFibGUgdG8gY3JlYXRlIHJhYmJpdCBiYXNlIGRpcmVjdG9yeSBpbiAkZW52OnByb2dyYW1kYXRhXGxubFxSYWJiaXRNUS4uIg0KfQ0KDQojQmVmb3JlIENvcHlpbmcgYWR2YW5jZWQuY29uZmlnIGZpbGUgY2hlY2sgT0cgaW5zdGFsbGF0aW9uIHBhdGgNCg0KdHJ5DQp7DQogICAgJEluc3RhbGxlZFZlcnNpb249R2V0LUl0ZW1Qcm9wZXJ0eSBSZWdpc3RyeTo6SEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXFdPVzY0MzJOb2RlXExlbmVsXE9uR3VhcmQgLU5hbWUgUHJvZHVjdFZlcnNpb24NCiAgICAkVmVyc2lvbj0kSW5zdGFsbGVkVmVyc2lvbi5Qcm9kdWN0VmVyc2lvbg0KICAgICRpbnN0YWxsPUdldC1JdGVtUHJvcGVydHkgUmVnaXN0cnk6OkhLRVlfTE9DQUxfTUFDSElORVxTT0ZUV0FSRVxXT1c2NDMyTm9kZVxMZW5lbFxPbkd1YXJkIC1OYW1lIEluc3RhbGxQYXRoDQogICAgW29iamVjdF0kSW5zdGFsbFBhdGg9JGluc3RhbGwuSW5zdGFsbFBhdGggICAgDQp9DQoNCmNhdGNoDQp7DQogICAgV3JpdGUtSG9zdCAnVW5hYmxlIHRvIGdldCBPbkd1YXJkIHZlcnNpb24nDQogICAgUGF1c2UNCiAgICBFeGl0DQp9DQoNCnRyeQ0Kew0KICAgICRBZGpJbnN0YWxsUGF0aD0kSW5zdGFsbFBhdGguUmVwbGFjZSgnXCcsICdcXCcpDQoJKEdldC1Db250ZW50IGFkdmFuY2VkLmNvbmZpZykucmVwbGFjZSgnQzpcXFByb2dyYW0gRmlsZXMgKHg4NilcXE9uR3VhcmRcXCcsICRBZGpJbnN0YWxsUGF0aCkgfCBTZXQtQ29udGVudCBhZHZhbmNlZC5jb25maWcNCn0NCg0KY2F0Y2gNCnsNCglXcml0ZS1Ib3N0ICdVbmFibGUgdG8gdXBkYXRlIGFkdmFuY2VkLmNvbmZpZyBmaWxlIHBhdGggdG8gY2EuY2VyIHBsZWFzZSBtYW51YWxseSBjaGVjayB0aGlzIGZpbGUgbG9jYXRlZCBpbiAlcHJvZ3JhbWRhdGElXGxubFxSYWJiaXRNUScgICAgDQp9DQoNCg0KIyNDb3B5IGFkdmFuY2VkLmNvbmZpZyAmIHJhYmJpdC5jb25mIHRvIG5ldyBkaXJlY3RvcnkjIw0KDQp0cnkNCnsNCiAgICBDb3B5LUl0ZW0gLlxhZHZhbmNlZC5jb25maWcgLURlc3RpbmF0aW9uICIkZW52OnByb2dyYW1kYXRhXGxubFxSYWJiaXRNUSIgLVJlY3Vyc2UgLUVycm9yQWN0aW9uIENvbnRpbnVlIC1FcnJvclZhcmlhYmxlIGFkdg0KICAgIEN
Source: classification engine Classification label: mal68.evad.winEXE@2/3@0/0
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7444:120:WilError_03
Source: C:\Users\user\Desktop\07lwzQoOuP.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gjoqykhp.xg4.ps1 Jump to behavior
Source: 07lwzQoOuP.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 07lwzQoOuP.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 07lwzQoOuP.exe Virustotal: Detection: 7%
Source: unknown Process created: C:\Users\user\Desktop\07lwzQoOuP.exe "C:\Users\user\Desktop\07lwzQoOuP.exe"
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: 07lwzQoOuP.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 07lwzQoOuP.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 07lwzQoOuP.exe, PS2EXEHostUI.cs .Net Code: Prompt
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Memory allocated: 30C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Memory allocated: 1B2A0000 memory reserve | memory write watch Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Queries volume information: C:\Users\user\Desktop\07lwzQoOuP.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\07lwzQoOuP.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1431554 Sample: 07lwzQoOuP.bin Startdate: 25/04/2024 Architecture: WINDOWS Score: 68 11 Multi AV Scanner detection for submitted file 2->11 13 .NET source code contains potential unpacker 2->13 15 Machine Learning detection for sample 2->15 17 .NET source code contains very large strings 2->17 6 07lwzQoOuP.exe 5 2->6         started        process3 signatures4 19 Reads the Security eventlog 6->19 21 Reads the System eventlog 6->21 9 conhost.exe 6->9         started        process5
No contacted IP infos