Edit tour

Windows Analysis Report
JiH0aUfOU6.exe

Overview

General Information

Sample name:	JiH0aUfOU6.exe renamed because original name is a hash value
Original sample name:	634dd946969fd0ea89693faa9943907a7d539c722dc63a5dbd4b23a2bee6daae.exe
Analysis ID:	1593605
MD5:	9b979d3d3f37bcb0525fe001b19be432
SHA1:	7e7edfd66d742e4dad4bea84aceb2a4ece7c817d
SHA256:	634dd946969fd0ea89693faa9943907a7d539c722dc63a5dbd4b23a2bee6daae
Tags:	185-196-10-22exegreenindustry-pluser-JAMESWT_MHT
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

OS version to string mapping found (often used in BOTs)

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries information about the installed CPU (vendor, model number etc)

Queries the product ID of Windows

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

JiH0aUfOU6.exe (PID: 7600 cmdline: "C:\Users\user\Desktop\JiH0aUfOU6.exe" MD5: 9B979D3D3F37BCB0525FE001B19BE432)

JiH0aUfOU6.tmp (PID: 7616 cmdline: "C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp" /SL5="$7047C,2802098,845824,C:\Users\user\Desktop\JiH0aUfOU6.exe" MD5: E587511F17C07622F2E88BDE6DC2A499)

Autoit3.exe (PID: 7632 cmdline: "C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe" C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\script.a3x MD5: C56B5F0201A3B3DE53E561FE76912BFD)

WerFault.exe (PID: 7784 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7632 -s 820 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: JiH0aUfOU6.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: JiH0aUfOU6.exe	Virustotal: Detection: 41%			Perma Link
Source: JiH0aUfOU6.exe	ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.5% probability

Source: JiH0aUfOU6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: JiH0aUfOU6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00474005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00474005
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0047C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0047C2FF
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0047494A GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0047494A
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0047CD14 FindFirstFileW,FindClose,	2_2_0047CD14
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0047CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_0047CD9F
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0047F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0047F5D8
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0047F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0047F735
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0047FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0047FA36
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00473CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00473CE2
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00EC0205 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	2_2_00EC0205
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00EC030D FindFirstFileA,GetLastError,	2_2_00EC030D
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00EBDB35 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	2_2_00EBDB35

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_004829BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

2_2_004829BA

Source: JiH0aUfOU6.tmp, 00000001.00000003.1798481983.0000000003FD3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.1.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: JiH0aUfOU6.tmp, 00000001.00000003.1798481983.0000000003FD3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.1.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: JiH0aUfOU6.tmp, 00000001.00000003.1798481983.0000000003FD3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: JiH0aUfOU6.tmp, 00000001.00000003.1798481983.0000000003FD3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.1.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: JiH0aUfOU6.tmp, 00000001.00000003.1798481983.0000000003FD3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: JiH0aUfOU6.tmp, 00000001.00000003.1798481983.0000000003FD3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: JiH0aUfOU6.tmp, 00000001.00000003.1798481983.0000000003FD3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: JiH0aUfOU6.tmp, 00000001.00000003.1798481983.0000000003FD3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: JiH0aUfOU6.tmp, 00000001.00000003.1798481983.0000000003FD3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: JiH0aUfOU6.tmp, 00000001.00000003.1798481983.0000000003FD3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000000.1797199517.00000000004D9000.00000002.00000001.01000000.00000006.sdmp, Autoit3.exe.1.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: JiH0aUfOU6.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: JiH0aUfOU6.tmp, 00000001.00000003.1798481983.0000000003FD3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.1.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Autoit3.exe.1.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: JiH0aUfOU6.tmp, 00000001.00000003.1798481983.0000000003FD3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.1.dr	String found in binary or memory: https://www.globalsign.com/repository/06
Source: JiH0aUfOU6.exe, 00000000.00000003.1790322712.0000000003330000.00000004.00001000.00020000.00000000.sdmp, JiH0aUfOU6.exe, 00000000.00000003.1790816806.000000007F2FB000.00000004.00001000.00020000.00000000.sdmp, JiH0aUfOU6.tmp, 00000001.00000000.1792796648.0000000000751000.00000020.00000001.01000000.00000004.sdmp, JiH0aUfOU6.tmp.0.dr	String found in binary or memory: https://www.innosetup.com/
Source: JiH0aUfOU6.exe, 00000000.00000003.1790322712.0000000003330000.00000004.00001000.00020000.00000000.sdmp, JiH0aUfOU6.exe, 00000000.00000003.1790816806.000000007F2FB000.00000004.00001000.00020000.00000000.sdmp, JiH0aUfOU6.tmp, 00000001.00000000.1792796648.0000000000751000.00000020.00000001.01000000.00000004.sdmp, JiH0aUfOU6.tmp.0.dr	String found in binary or memory: https://www.remobjects.com/ps

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_00484632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

2_2_00484632

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_00484830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

2_2_00484830

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

2_2_00484632

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_00470508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

2_2_00470508

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_0049D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

2_2_0049D164

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_00ED1F01 CreateDesktopA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,WaitForSingleObject,

2_2_00ED1F01

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_00ED5389 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,

2_2_00ED5389

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_00474254: CreateFileW,DeviceIoControl,CloseHandle,

2_2_00474254

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_00468F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

2_2_00468F2E

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_00475778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

2_2_00475778

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0041B020	2_2_0041B020
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00411663	2_2_00411663
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00419C80	2_2_00419C80
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_004323F5	2_2_004323F5
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00498400	2_2_00498400
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00446502	2_2_00446502
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0044265E	2_2_0044265E
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0041E6F0	2_2_0041E6F0
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0043282A	2_2_0043282A
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_004489BF	2_2_004489BF
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00446A74	2_2_00446A74
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00490A3A	2_2_00490A3A
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00420BE0	2_2_00420BE0
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0043CD51	2_2_0043CD51
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0046EDB2	2_2_0046EDB2
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00478E44	2_2_00478E44
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00490EB7	2_2_00490EB7
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00446FE6	2_2_00446FE6
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_004333B7	2_2_004333B7
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0042D45D	2_2_0042D45D
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0043F409	2_2_0043F409
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_004194E0	2_2_004194E0
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0042F628	2_2_0042F628
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0041F6A0	2_2_0041F6A0
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_004316B4	2_2_004316B4
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_004378C3	2_2_004378C3
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0043DBA5	2_2_0043DBA5
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00431BA8	2_2_00431BA8
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00449CE5	2_2_00449CE5
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0042DD28	2_2_0042DD28
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00431FC0	2_2_00431FC0
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0043BFD6	2_2_0043BFD6
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00ED4CE1	2_2_00ED4CE1
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00ED4CDA	2_2_00ED4CDA

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: String function: 00421A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: String function: 00438B30 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: String function: 00430D17 appears 70 times

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7632 -s 820

Source: JiH0aUfOU6.tmp.0.dr

Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: JiH0aUfOU6.tmp.0.dr	Static PE information: Number of sections : 11 > 10
Source: JiH0aUfOU6.exe	Static PE information: Number of sections : 11 > 10

Source: JiH0aUfOU6.exe, 00000000.00000003.1790322712.000000000344E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs JiH0aUfOU6.exe
Source: JiH0aUfOU6.exe, 00000000.00000000.1788139711.0000000000399000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs JiH0aUfOU6.exe
Source: JiH0aUfOU6.exe, 00000000.00000003.1790816806.000000007F5FA000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs JiH0aUfOU6.exe
Source: JiH0aUfOU6.exe	Binary or memory string: OriginalFileName vs JiH0aUfOU6.exe

Source: JiH0aUfOU6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal48.spyw.evad.winEXE@6/9@0/0

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_0047A6AD GetLastError,FormatMessageW,

2_2_0047A6AD

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00468DE9 AdjustTokenPrivileges,CloseHandle,		2_2_00468DE9
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00469399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		2_2_00469399

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_0047B976 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

2_2_0047B976

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_00474148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

2_2_00474148

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_0047C9DA CoInitialize,CoCreateInstance,CoUninitialize,

2_2_0047C9DA

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_0047443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

2_2_0047443D

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7632

Source: C:\Users\user\Desktop\JiH0aUfOU6.exe

File created: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp

Jump to behavior

Source: C:\Users\user\Desktop\JiH0aUfOU6.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\JiH0aUfOU6.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\JiH0aUfOU6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: JiH0aUfOU6.exe	Virustotal: Detection: 41%
Source: JiH0aUfOU6.exe	ReversingLabs: Detection: 39%

Source: JiH0aUfOU6.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\JiH0aUfOU6.exe

File read: C:\Users\user\Desktop\JiH0aUfOU6.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\JiH0aUfOU6.exe "C:\Users\user\Desktop\JiH0aUfOU6.exe"
Source: C:\Users\user\Desktop\JiH0aUfOU6.exe	Process created: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp "C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp" /SL5="$7047C,2802098,845824,C:\Users\user\Desktop\JiH0aUfOU6.exe"
Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe "C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe" C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\script.a3x
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7632 -s 820
Source: C:\Users\user\Desktop\JiH0aUfOU6.exe	Process created: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp "C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp" /SL5="$7047C,2802098,845824,C:\Users\user\Desktop\JiH0aUfOU6.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe "C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe" C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\script.a3x	Jump to behavior

Source: C:\Users\user\Desktop\JiH0aUfOU6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\JiH0aUfOU6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: JiH0aUfOU6.exe

Static file information: File size 3796818 > 1048576

Source: JiH0aUfOU6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_0048C6D9 LoadLibraryA,GetProcAddress,

2_2_0048C6D9

Source: JiH0aUfOU6.exe	Static PE information: section name: .didata
Source: JiH0aUfOU6.tmp.0.dr	Static PE information: section name: .didata

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0043E93F push edi; ret	2_2_0043E941
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00478A4A push FFFFFF8Bh; iretd	2_2_00478A4C
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0043EA58 push esi; ret	2_2_0043EA5A
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00438B75 push ecx; ret	2_2_00438B88
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0042CBF1 push eax; retf	2_2_0042CBF8
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0043EC33 push esi; ret	2_2_0043EC35
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0043ED1C push edi; ret	2_2_0043ED1E
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00EBE6A5 push 00EBE6F6h; ret	2_2_00EBE6EE
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00ED40E9 push 00ED4135h; ret	2_2_00ED412D
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00ED00F5 push 00ED0121h; ret	2_2_00ED0119
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00EC5099 push 00EC5215h; ret	2_2_00EC520D
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00ED3029 push 00ED3055h; ret	2_2_00ED304D
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00ECD1D9 push ecx; mov dword ptr [esp], ecx	2_2_00ECD1DE
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00ED52F5 push 00ED5321h; ret	2_2_00ED5319
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00ED52F3 push 00ED5321h; ret	2_2_00ED5319
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00ED52B5 push 00ED52E1h; ret	2_2_00ED52D9
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00EC5299 push 00EC52C5h; ret	2_2_00EC52BD
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00EC5291 push 00EC52C5h; ret	2_2_00EC52BD
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00ED527D push 00ED52A9h; ret	2_2_00ED52A1
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00EC5219 push 00EC5288h; ret	2_2_00EC5280
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00EC5217 push 00EC5288h; ret	2_2_00EC5280
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00ECB3D9 push 00ECB481h; ret	2_2_00ECB479
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00ECB361 push 00ECB3D7h; ret	2_2_00ECB3CF
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00ECB4ED push 00ECB519h; ret	2_2_00ECB511
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00ECB48F push 00ECB519h; ret	2_2_00ECB511
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00ED4495 push 00ED44D8h; ret	2_2_00ED44D0
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00ED4494 push 00ED44D8h; ret	2_2_00ED44D0
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00ED4445 push 00ED4471h; ret	2_2_00ED4469
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00ED443D push 00ED4471h; ret	2_2_00ED4469
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00EC05C9 push ecx; mov dword ptr [esp], eax	2_2_00EC05CA
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00ECB5C2 push 00ECB635h; ret	2_2_00ECB62D

Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	File created: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	File created: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Jump to dropped file
Source: C:\Users\user\Desktop\JiH0aUfOU6.exe	File created: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_004959B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		2_2_004959B3
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00425EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		2_2_00425EDA

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_004333B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_004333B7

Source: C:\Users\user\Desktop\JiH0aUfOU6.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

graph_2-113744

Source: C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\_isetup\_setup64.tmp

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_2-112673

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

API coverage: 4.9 %

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00474005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00474005
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0047C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0047C2FF
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0047494A GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0047494A
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0047CD14 FindFirstFileW,FindClose,	2_2_0047CD14
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0047CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_0047CD9F
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0047F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0047F5D8
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0047F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0047F735
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0047FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0047FA36
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00473CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00473CE2
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00EC0205 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	2_2_00EC0205
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00EC030D FindFirstFileA,GetLastError,	2_2_00EC030D
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00EBDB35 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	2_2_00EBDB35

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_00425D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

2_2_00425D13

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Autoit3.exe, Autoit3.exe, 00000002.00000003.1848964509.0000000000F43000.00000004.00000020.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.4250471709.0000000000F06000.00000004.00000020.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000003.1848964509.0000000000EF2000.00000004.00000020.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.4250424435.0000000000EB6000.00000040.00000020.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.4250471709.0000000000EE2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft hyper-v video
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Autoit3.exe	Binary or memory string: ksJlMugAfJJiCpQzTvHPkiOXPpWhGFSwxpdVRxiinwPGhUIcRINemJjwnThIXtDiaSZYcFozQAClCBmoqTgYgjbYvufIlbsZGmuAQCTOeDegsMqvyazDdYRHIcBaADUJoIqcFMiwYOguJvZrEcIojiaKbAJwvkkMhtTxNwibjQaWdIJEkbCZFGLBqZvDWvHnFGlcEGMmcVFDAQiqcWeVrZaGXiiWDYSXmMHzucFVIOubyDBtdQsJwILHgoVXnVTmQXxT
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Autoit3.exe, 00000002.00000002.4250471709.0000000000EE2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Autoit3.exe, 00000002.00000002.4250471709.0000000000F06000.00000004.00000020.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000003.1848964509.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000003.1848964509.0000000000EEC000.00000004.00000020.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.4250424435.0000000000EB6000.00000040.00000020.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.4250471709.0000000000EE2000.00000004.00000020.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.4250573331.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: xRckeQNZuMKVTzSBBtqmbcsgnaBYEbZaOwjiqXNRDquAjeMRvwNRxJetYOwhpnTOcozOeCkwmEhYbtoroygOEkCQSiklrIXCdvDMwNjgtuAcCYYEizUkEfFASNbfKXpvDqnhcWPpsCRqcmTHZXPFjdfJqdVCyExbjYHtoFjxYOllWjDmCOPNQbWFVCDfVKzEvMfheByguPDYQDgGDtiQAeZFQIBlwgZUHAoAfJPXimzHuQgGFBumXBjfyNceCvcsiCcSFksJlMugAfJJiCpQzTvHPkiOXPpWhGFSwxpdVRxiinwPGhUIcRINemJjwnThIXtDiaSZYcFozQAClCBmoqTgYgjbYvufIlbsZGmuAQCTOeDegsMqvyazDdYRHIcBaADUJoIqcFMiwYOguJvZrEcIojiaKbAJwvkkMhtTxNwibjQaWdIJEkbCZFGLBqZvDWvHnFGlcEGMmcVFDAQiqcWeVrZaGXiiWDYSXmMHzucFVIOubyDBtdQsJwILHgoVXnVTmQXxTvnnbOGvWSPjitMzqQODvKenUsAagrFfHPCdLTlpNbKTQqMIlvobSoRuYKrVnZbcILYjlhRmUPKIdwWkjeSydfoaoFkFYiBUhmsHXxmbGwzXnytwvGZcmjMxNPksjyzoOwpnxtMagHdzvtlQxSTONkaGpyKRzJoXBniKvlggwFHqlpDSqxAxgCuZIooagQnJSKcxGZNVBWMQWFEirfHNZpNFyqSiWdTuCHSRerywlMfKARvvnxQifnwfniDWxSAbOWmZUJFtnAPaAMmsndpZwWoKyPRoPPFGjvGVohcZnofgjqnQRyisbAJkwJrzOKFrKQjtHzjeMwELsKILVjkldVDWqNbhQEZqKSUbAmWffVdRCpJbQHbvWMqSntglYImUYkwqBFKZGbHQUGCRnlXBfoTzlrdXYtRtHAqBBAwqBEKsiABn
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	API call chain: ExitProcess graph end node	graph_2-111947
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	API call chain: ExitProcess graph end node	graph_2-113742
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	API call chain: ExitProcess graph end node	graph_2-113729
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	API call chain: ExitProcess graph end node	graph_2-111549

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_00EBC4B9 LdrInitializeThunk,

2_2_00EBC4B9

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_004845D5 BlockInput,

2_2_004845D5

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_00425240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

2_2_00425240

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_00445CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

2_2_00445CAC

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_0048C6D9 LoadLibraryA,GetProcAddress,

2_2_0048C6D9

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00EE0C4E mov eax, dword ptr fs:[00000030h]	2_2_00EE0C4E
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00ED4CE1 mov eax, dword ptr fs:[00000030h]	2_2_00ED4CE1
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00ED4CE1 mov eax, dword ptr fs:[00000030h]	2_2_00ED4CE1
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00ED4CDA mov eax, dword ptr fs:[00000030h]	2_2_00ED4CDA
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00ED4CDA mov eax, dword ptr fs:[00000030h]	2_2_00ED4CDA
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00ECEDF5 mov eax, dword ptr fs:[00000030h]	2_2_00ECEDF5

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_004688CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

2_2_004688CD

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0043A354 SetUnhandledExceptionFilter,		2_2_0043A354
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0043A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		2_2_0043A385

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_00469369 LogonUserW,

2_2_00469369

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_00425240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

2_2_00425240

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_00471AC6 SendInput,keybd_event,

2_2_00471AC6

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_004751E2 mouse_event,

2_2_004751E2

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

2_2_004688CD

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_00474F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

2_2_00474F1C

Source: JiH0aUfOU6.tmp, 00000001.00000003.1798481983.0000000003FC5000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000000.1796828533.00000000004C6000.00000002.00000001.01000000.00000006.sdmp, Autoit3.exe.1.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Autoit3.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_0043885B cpuid

2_2_0043885B

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	2_2_00EBDD0D
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: GetLocaleInfoA,GetACP,	2_2_00EC4229
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: GetLocaleInfoA,	2_2_00EBE631
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: GetLocaleInfoA,	2_2_00EC2CDD
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: GetLocaleInfoA,	2_2_00EC2C91
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	2_2_00EBDE17

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_00450030 GetLocalTime,__swprintf,

2_2_00450030

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_00450722 GetUserNameW,

2_2_00450722

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_0044416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

2_2_0044416A

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Code function: 2_2_00425D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

2_2_00425D13

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Source: Autoit3.exe	Binary or memory string: WIN_81
Source: Autoit3.exe	Binary or memory string: WIN_XP
Source: Autoit3.exe	Binary or memory string: WIN_XPe
Source: Autoit3.exe	Binary or memory string: WIN_VISTA
Source: Autoit3.exe	Binary or memory string: WIN_7
Source: Autoit3.exe	Binary or memory string: WIN_8
Source: Autoit3.exe.1.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_0048696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		2_2_0048696E
Source: C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	Code function: 2_2_00486E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		2_2_00486E32

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	12 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Create Account	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	45 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	2 Valid Accounts	LSA Secrets	51 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	3 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
JiH0aUfOU6.exe	41%	Virustotal		Browse
JiH0aUfOU6.exe	39%	ReversingLabs	Win32.Backdoor.Redcap
JiH0aUfOU6.exe	100%	Avira	BDS/Redcap.pbbbh

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	4%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\_isetup\_setup64.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp	1%	Virustotal	Browse

Name	Source	Malicious	Reputation
http://www.autoitscript.com/autoit3/J	JiH0aUfOU6.tmp, 00000001.00000003.1798481983.0000000003FD3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000000.1797199517.00000000004D9000.00000002.00000001.01000000.00000006.sdmp, Autoit3.exe.1.dr	false	high
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	JiH0aUfOU6.exe	false	high
http://upx.sf.net	Amcache.hve.5.dr	false	high
https://www.autoitscript.com/autoit3/	JiH0aUfOU6.tmp, 00000001.00000003.1798481983.0000000003FD3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.1.dr	false	high
https://www.remobjects.com/ps	JiH0aUfOU6.exe, 00000000.00000003.1790322712.0000000003330000.00000004.00001000.00020000.00000000.sdmp, JiH0aUfOU6.exe, 00000000.00000003.1790816806.000000007F2FB000.00000004.00001000.00020000.00000000.sdmp, JiH0aUfOU6.tmp, 00000001.00000000.1792796648.0000000000751000.00000020.00000001.01000000.00000004.sdmp, JiH0aUfOU6.tmp.0.dr	false	high
https://www.innosetup.com/	JiH0aUfOU6.exe, 00000000.00000003.1790322712.0000000003330000.00000004.00001000.00020000.00000000.sdmp, JiH0aUfOU6.exe, 00000000.00000003.1790816806.000000007F2FB000.00000004.00001000.00020000.00000000.sdmp, JiH0aUfOU6.tmp, 00000001.00000000.1792796648.0000000000751000.00000020.00000001.01000000.00000004.sdmp, JiH0aUfOU6.tmp.0.dr	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1593605
Start date and time:	2025-01-17 11:47:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	JiH0aUfOU6.exe renamed because original name is a hash value
Original Sample Name:	634dd946969fd0ea89693faa9943907a7d539c722dc63a5dbd4b23a2bee6daae.exe
Detection:	MAL
Classification:	mal48.spyw.evad.winEXE@6/9@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 68 Number of non-executed functions: 289
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92, 40.126.31.71, 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
05:48:11	API Interceptor	1x Sleep call for process: JiH0aUfOU6.tmp modified
05:48:31	API Interceptor	1x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\_isetup\_setup64.tmp	mb3-setup-legacywos-3.5.1.2522-1.0.365-1.0.5292.exe	Get hash	malicious	Unknown	Browse
	mb3-setup-legacywos-3.5.1.2522-1.0.365-1.0.5292.exe	Get hash	malicious	Unknown	Browse
	30am7EwuAH.exe	Get hash	malicious	MicroClip	Browse
	trmm-lanistest-mia-server-amd64.exe	Get hash	malicious	Unknown	Browse
	Setup_BrightSlide_1.0.9.exe	Get hash	malicious	Unknown	Browse
	mysetup.exe	Get hash	malicious	Unknown	Browse
	https://staging.promptus.ai/downloads/windows/promptus-ai-install-v1.0.0.86.exe	Get hash	malicious	Unknown	Browse
	https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe	Get hash	malicious	Unknown	Browse
	https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe	Get hash	malicious	Unknown	Browse
	https://www.axis.com/ftp/pub_soft/cam_srv/IPUtility/latest/AxisIPUtilitySetup.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe	2YLM6BQ9S3.exe	Get hash	malicious	RedLine	Browse
	sEOELQpFOB.lnk	Get hash	malicious	RedLine	Browse
	ref095vq842r70_classement_atout_france.pdf.lnk.d.lnk	Get hash	malicious	RedLine, SectopRAT	Browse
	payload_1.hta	Get hash	malicious	RedLine	Browse
	fsg5PWtTm2.lnk	Get hash	malicious	RedLine, SectopRAT	Browse
	Whatsapp-GUI.exe	Get hash	malicious	DarkGate, MailPassView	Browse
	Whatsapp-GUI.exe	Get hash	malicious	DarkGate, MailPassView	Browse
	Agreement for Cooperation.PDF.lnk.download.lnk	Get hash	malicious	RedLine	Browse
	malware.zip	Get hash	malicious	Unknown	Browse
	Dark_drop_2_pers_lum_clean.exe.bin.exe	Get hash	malicious	LummaC, DarkGate, LummaC Stealer, MailPassView	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Autoit3.exe_70b69d987cbe411a65bb4a3e8ac3e32f4409a1d_e0ee09ac_fc020f15-9386-4dbd-9c07-13e2760aa849\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9272751524738333
Encrypted:	false
SSDEEP:	192:DROCtclEj059O4jm1oazuiFBZ24IO8cD:TclEQ59O4jczuiFBY4IO8g
MD5:	AFD19EFB5FC6546CC7270537B2D37B12
SHA1:	F91F27D5712267C762E204F96C3F4C357E413D4D
SHA-256:	8E68A920D2F9C68042395A8913FCB03CC0B5B7E6E7202213EE601C4BEDAE6721
SHA-512:	A89F921A2744B460875FE57CC55B73002B7225C37817CFA11D590D1B6D8D7957895BC0E931D37B15C20D588B76BBCCFA821FDB2546DB9DE718E76D76AC228339
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.5.8.4.4.9.9.9.0.7.4.3.8.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.5.8.4.5.0.0.7.1.9.9.3.0.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.c.0.2.0.f.1.5.-.9.3.8.6.-.4.d.b.d.-.9.c.0.7.-.1.3.e.2.7.6.0.a.a.8.4.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.e.d.8.c.2.b.b.-.b.c.d.d.-.4.7.1.3.-.9.a.2.1.-.0.3.8.f.e.6.b.d.9.9.c.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.u.t.o.i.t.3...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.u.t.o.I.t.3...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.d.0.-.0.0.0.1.-.0.0.1.4.-.4.c.3.9.-.8.8.4.d.c.d.6.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.0.6.f.a.0.9.b.3.8.c.9.c.3.b.a.4.5.c.7.3.2.a.4.d.c.9.a.8.4.6.1.0.0.0.0.0.9.0.8.!.0.0.0.0.2.a.4.0.6.2.e.1.0.a.5.d.e.8.1.3.f.5.6.8.8.2.2.1.d.b.e.b.3.f.3.f.f.3.3.e.b.4.1.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA9C7.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Jan 17 10:48:20 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	181942
Entropy (8bit):	1.0106736604866764
Encrypted:	false
SSDEEP:	384:nXOFepIaBITbKJ8pGuzWFvFunQxl7SJwsfo4EM2r:nXOkpWTOCpGuyTuQTSNB2
MD5:	DC506C26C92B585C00557A23AA8F796D
SHA1:	9838461B2522B0F04784F415093F0318C864206A
SHA-256:	B99333F50AAA7F66A9C91292AB163D0B757A445AB6287B2A7AE18297735CD7A5
SHA-512:	60703F3BA5D9634588A6ED0D080891D060226A46905F438DB58D134A63F71D63DA4430FAF8D7B84B0B0958869B42FFF1B180E6E9595A1BADCE6D38D87D2F51C2
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......t5.g........................(...............~,..........T.......8...........T...........h ..N.......................................................................................................eJ......H.......GenuineIntel............T...........k5.g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB4F.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6324
Entropy (8bit):	3.724224999920276
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbIS6wc5YmeY4a5NIOzJ5aM4Uw89bvwsf/Olm:R6l7wVeJIS6tIY4aTLprw89bvwsf/Olm
MD5:	F8BF88E0123B0E9A81ED8F5F2B3CD577
SHA1:	589C326CB9D1E05D3382B33A31E3225E64812BB9
SHA-256:	768606DE649A4F4E569D6F2572F1F739B849B9566467DA42C8AF36BEC413487A
SHA-512:	0179D5FE741FEDCEC83390090B58AC32D3739AE5DCA5B823E1917EDA20C8D97E0179951ED5CA30428FC9EEF48BC2B60C6230C3E81AA10CD9C205DFBD82C7CEBE
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.3.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB8E.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4672
Entropy (8bit):	4.491415926943535
Encrypted:	false
SSDEEP:	48:cvIwWl8zsHJg77aI95GWpW8VYOYm8M4JVoFJI+q89G8izwXalzgd:uIjfpI7vH7VGJx38i8qlzgd
MD5:	EF70B3DF8F0E05D0862CB70ABC231712
SHA1:	866B47F29F7150852BA396F63747FD4C6B0056D6
SHA-256:	202A9D7561A3F572ECDC34D8B2F50BE7E3EF4899BE598FA68F7FC5B06EB6F9A7
SHA-512:	5DC3A2BBB6F314E9FEA0B851B57D9581C806960424B5C6248525984E35C22E75BB2BF83214FFFAD81BFBEDEAFDA30991DE97CE3C3D8AA837CBB91211E3CA7CA8
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="679791" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	893608
Entropy (8bit):	6.620131693023677
Encrypted:	false
SSDEEP:	12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
MD5:	C56B5F0201A3B3DE53E561FE76912BFD
SHA1:	2A4062E10A5DE813F5688221DBEB3F3FF33EB417
SHA-256:	237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
SHA-512:	195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3% Antivirus: Virustotal, Detection: 4%, Browse
Joe Sandbox View:	Filename: 2YLM6BQ9S3.exe, Detection: malicious, Browse Filename: sEOELQpFOB.lnk, Detection: malicious, Browse Filename: ref095vq842r70_classement_atout_france.pdf.lnk.d.lnk, Detection: malicious, Browse Filename: payload_1.hta, Detection: malicious, Browse Filename: fsg5PWtTm2.lnk, Detection: malicious, Browse Filename: Whatsapp-GUI.exe, Detection: malicious, Browse Filename: Whatsapp-GUI.exe, Detection: malicious, Browse Filename: Agreement for Cooperation.PDF.lnk.download.lnk, Detection: malicious, Browse Filename: malware.zip, Detection: malicious, Browse Filename: Dark_drop_2_pers_lum_clean.exe.bin.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: mb3-setup-legacywos-3.5.1.2522-1.0.365-1.0.5292.exe, Detection: malicious, Browse Filename: mb3-setup-legacywos-3.5.1.2522-1.0.365-1.0.5292.exe, Detection: malicious, Browse Filename: 30am7EwuAH.exe, Detection: malicious, Browse Filename: trmm-lanistest-mia-server-amd64.exe, Detection: malicious, Browse Filename: Setup_BrightSlide_1.0.9.exe, Detection: malicious, Browse Filename: mysetup.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\script.a3x

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp
File Type:	zlib compressed data
Category:	dropped
Size (bytes):	527816
Entropy (8bit):	7.434659391669242
Encrypted:	false
SSDEEP:	12288:aXusPwTIi5db/9GYj6tt/cTo17E4KZqzk6a9g+L36wWH76IM:aXVwTIi5VVUWcKZSk6am+bOxM
MD5:	CBF4AFDB16E8FB9B6E45568F4E3745E5
SHA1:	3DC9792B4DF8F922BD04CA64402F35EFCD0CCA85
SHA-256:	D6A30A42B552FEE496F74F64F1946EB60ECA4ABB19358BFB4057DEEDFD3B23B5
SHA-512:	F139BC9A10E08C51D3085CB61C0305FB6E2FA08E6427CFE9D0974C8F002AADEBA9E9D3C378351FE1290B169A7C27F3F0135E75F6D2B624CDB0685C4920B30881
Malicious:	false
Preview:	x.Q..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................x.Q....................................

C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp

Download File

Process:	C:\Users\user\Desktop\JiH0aUfOU6.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3366912
Entropy (8bit):	6.530553087447205
Encrypted:	false
SSDEEP:	98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
MD5:	E587511F17C07622F2E88BDE6DC2A499
SHA1:	08899E43445DB2E0D000B3AFD80E028636786EEB
SHA-256:	9FBF0748B5D890C2C28B1AE20AAD7FC23A93CC7A57C4A51220D9381AF7637C60
SHA-512:	2E59D9C525C5383C4EA66C785584AA69256A47FFE928A6595CC2BF07469D2DA4DD56DCD3D3D42496E593C39EEC6356FC4C8A9CDEEE6770C7E6C3319B8B614C6E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465797821420193
Encrypted:	false
SSDEEP:	6144:nIXfpi67eLPU9skLmb0b4JWSPKaJG8nAgejZMMhA2gX4WABl0uNYdwBCswSbs5:IXD94JWlLZMM6YFH6+s5
MD5:	DBB91B8946410B6EA810469DB7FEBA59
SHA1:	36CE2AC4A29089568F3418C70B9B69461432F999
SHA-256:	35739259B49F2F87819E2A1346D832DD3A9E3411D3884326AEE303D688F5EB94
SHA-512:	34BFD1C5F80CB290ADA769909B152538728ED23077C51BF848DD3591111AA4A342CBD7B3CF71FD639288E30D6F960C2F0E1F00CAB266ACBC9E1EFCDFB8BCE885
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..hR.h..............................................................................................................................................................................................................................................................................................................................................ej.f........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.843780993957938
TrID:	Win32 Executable (generic) a (10002005/4) 98.04% Inno Setup installer (109748/4) 1.08% InstallShield setup (43055/19) 0.42% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:	JiH0aUfOU6.exe
File size:	3'796'818 bytes
MD5:	9b979d3d3f37bcb0525fe001b19be432
SHA1:	7e7edfd66d742e4dad4bea84aceb2a4ece7c817d
SHA256:	634dd946969fd0ea89693faa9943907a7d539c722dc63a5dbd4b23a2bee6daae
SHA512:	7b9e885f0d1ddb3cf15739c862e3f009705e9fb702afa4f3a01e0b5b4b0b0ce6c6509c3ad6cbfcfec4cbd5a81b440863c5b0eae1586621585dbb9e9fc09a9242
SSDEEP:	49152:XwREDDMNDZqY8tmwzAdvzL+OqQ3BkPr8Yw4z0g3QT5W9ky+sdHeMxWrP+beY7UY2:XwREgZqPmwMFL1qKBExDzJQm+sdMwZgN
TLSH:	0406F112E1EFD87ED9DE1B360163918430FB3914A0256D079BFCF9D8CE24A366C6E15A
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	0c0c2d33ceec80aa

Static PE Info

General

Entrypoint:	0x4a83bc
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	40ab50289f7ef5fae60801f88d4541fc

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004A2EBCh
call 00007F7B3506EEA5h
xor eax, eax
push ebp
push 004A8AC1h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 004A8A7Bh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [004B0634h]
call 00007F7B3510082Bh
call 00007F7B3510037Eh
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007F7B350FB058h
mov edx, dword ptr [ebp-14h]
mov eax, 004B41F4h
call 00007F7B35068F53h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [004B41F4h]
mov dl, 01h
mov eax, dword ptr [0049CD14h]
call 00007F7B350FC383h
mov dword ptr [004B41F8h], eax
xor edx, edx
push ebp
push 004A8A27h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F7B351008B3h
mov dword ptr [004B4200h], eax
mov eax, dword ptr [004B4200h]
cmp dword ptr [eax+0Ch], 01h
jne 00007F7B3510759Ah
mov eax, dword ptr [004B4200h]
mov edx, 00000028h
call 00007F7B350FCC78h
mov edx, dword ptr [004B4200h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xb7000	0x71	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb5000	0xfec	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcb000	0x11000	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xba000	0x10fa8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xb9000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb52d4	0x25c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xb6000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa568c	0xa5800	b889d302f6fc48a904de33d8d947ae80	False	0.3620185045317221	data	6.377190161826806	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xa7000	0x1b64	0x1c00	588dd0a8ab499300d3701cbd11b017d9	False	0.548828125	data	6.109264411030635	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xa9000	0x3838	0x3a00	5c0c76e77aef52ebc6702430837ccb6e	False	0.35338092672413796	data	4.95916338709992	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xad000	0x7258	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xb5000	0xfec	0x1000	627340dff539ef99048969aa4824fb2d	False	0.380615234375	data	5.020404933181373	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xb6000	0x1a4	0x200	fd11c1109737963cc6cb7258063abfd6	False	0.34765625	data	2.729290535217263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xb7000	0x71	0x200	7de8ca0c7a61668a728fd3a88dc0942d	False	0.1796875	data	1.305578535725827	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xb8000	0x18	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xb9000	0x5d	0x200	d84006640084dc9f74a07c2ff9c7d656	False	0.189453125	data	1.3892750148744617	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xba000	0x10fa8	0x11000	a85fda2741bd9417695daa5fc5a9d7a5	False	0.5789579503676471	data	6.709466460182023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xcb000	0x11000	0x11000	5f05bedd66ff8a8c3e340711ad34c004	False	0.1872271369485294	data	3.718253470294899	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xcb678	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2048	English	United States	0.1174924924924925
RT_ICON	0xcc0e0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.15792682926829268
RT_ICON	0xcc748	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.23387096774193547
RT_ICON	0xcca30	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.39864864864864863
RT_ICON	0xccb58	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors	English	United States	0.08339210155148095
RT_ICON	0xce180	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.1023454157782516
RT_ICON	0xcf028	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.10649819494584838
RT_ICON	0xcf8d0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.10838150289017341
RT_ICON	0xcfe38	0x12e5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.8712011577424024
RT_ICON	0xd1120	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.05668398677373642
RT_ICON	0xd5348	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.08475103734439834
RT_ICON	0xd78f0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.09920262664165103
RT_ICON	0xd8998	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.2047872340425532
RT_STRING	0xd8e00	0x3f8	data			0.3198818897637795
RT_STRING	0xd91f8	0x2dc	data			0.36475409836065575
RT_STRING	0xd94d4	0x430	data			0.40578358208955223
RT_STRING	0xd9904	0x44c	data			0.38636363636363635
RT_STRING	0xd9d50	0x2d4	data			0.39226519337016574
RT_STRING	0xda024	0xb8	data			0.6467391304347826
RT_STRING	0xda0dc	0x9c	data			0.6410256410256411
RT_STRING	0xda178	0x374	data			0.4230769230769231
RT_STRING	0xda4ec	0x398	data			0.3358695652173913
RT_STRING	0xda884	0x368	data			0.3795871559633027
RT_STRING	0xdabec	0x2a4	data			0.4275147928994083
RT_RCDATA	0xdae90	0x10	data			1.5
RT_RCDATA	0xdaea0	0x310	data			0.6173469387755102
RT_RCDATA	0xdb1b0	0x2c	data			1.2045454545454546
RT_GROUP_ICON	0xdb1dc	0xbc	data	English	United States	0.6170212765957447
RT_VERSION	0xdb298	0x584	data	English	United States	0.2521246458923513
RT_MANIFEST	0xdb81c	0x7a8	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3377551020408163

Imports

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
advapi32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

Exports

Name	Ordinal	Address
__dbk_fcall_wrapper	2	0x40fc10
dbkFCallWrapperAddr	1	0x4b063c

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	05:48:10
Start date:	17/01/2025
Path:	C:\Users\user\Desktop\JiH0aUfOU6.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\JiH0aUfOU6.exe"
Imagebase:	0x2e0000
File size:	3'796'818 bytes
MD5 hash:	9B979D3D3F37BCB0525FE001B19BE432
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:48:11
Start date:	17/01/2025
Path:	C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp" /SL5="$7047C,2802098,845824,C:\Users\user\Desktop\JiH0aUfOU6.exe"
Imagebase:	0x750000
File size:	3'366'912 bytes
MD5 hash:	E587511F17C07622F2E88BDE6DC2A499
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 1%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:48:11
Start date:	17/01/2025
Path:	C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe" C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\script.a3x
Imagebase:	0x410000
File size:	893'608 bytes
MD5 hash:	C56B5F0201A3B3DE53E561FE76912BFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 3%, ReversingLabs Detection: 4%, Virustotal, Browse
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	05:48:19
Start date:	17/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7632 -s 820
Imagebase:	0xe50000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report JiH0aUfOU6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Autoit3.exe_70b69d987cbe411a65bb4a3e8ac3e32f4409a1d_e0ee09ac_fc020f15-9386-4dbd-9c07-13e2760aa849\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA9C7.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB4F.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB8E.tmp.xml

C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\Autoit3.exe

C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\_isetup\_setup64.tmp

C:\Users\user\AppData\Local\Temp\is-7ECNQ.tmp\script.a3x

C:\Users\user\AppData\Local\Temp\is-C6LCF.tmp\JiH0aUfOU6.tmp

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
JiH0aUfOU6.exe