Edit tour

Windows Analysis Report
KgpiJLs58m.exe

Overview

General Information

Sample name:	KgpiJLs58m.exe renamed because original name is a hash value
Original sample name:	6b6676267c70fbeb3257f0bb9bce1587f0bdec621238eb32dd9f84b2bcd7e3ea.exe
Analysis ID:	1599696
MD5:	998cd2e474751b5de344562b4ddb39e2
SHA1:	70ee02a76510b0757e3b26ffd98834f0d259f9d4
SHA256:	6b6676267c70fbeb3257f0bb9bce1587f0bdec621238eb32dd9f84b2bcd7e3ea
Tags:	155-138-149-77exeuser-JAMESWT_MHT
Infos:

Detection

DarkGate, MailPassView

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected DarkGate

Yara detected MailPassView

Contains functionality to detect sleep reduction / modifications

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May check if the current machine is a sandbox (GetTickCount - Sleep)

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the product ID of Windows

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

KgpiJLs58m.exe (PID: 7348 cmdline: "C:\Users\user\Desktop\KgpiJLs58m.exe" MD5: 998CD2E474751B5DE344562B4DDB39E2)

Autoit3.exe (PID: 7364 cmdline: "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x MD5: C56B5F0201A3B3DE53E561FE76912BFD)

cmd.exe (PID: 7420 cmdline: "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\bdfkcgf\hcbhhfk MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7468 cmdline: wmic ComputerSystem get domain MD5: E2DE6500DE1148C7F6027AD50AC8B891)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkGate	First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023.	No Attribution	https://0xtoxin.github.io/threat%20breakdown/DarkGate-Camapign-Analysis/ https://blog.sekoia.io/darkgate-internals/ https://blog.talosintelligence.com/darkgate-remote-template-injection/ https://cofense.com/blog/are-darkgate-and-pikabot-the-new-qakbot/ https://cybersecurity.att.com/blogs/security-essentials/darkgate-malware-delivered-via-microsoft-teams-detection-and-response	https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.1805362311.0000000003B88000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
00000001.00000002.1805362311.0000000003B21000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000001.00000002.1805287853.0000000003A20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000001.00000002.1805287853.0000000003A20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
00000001.00000002.1805050705.000000000396C000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000001.00000002.1805050705.000000000396C000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
Process Memory Space: Autoit3.exe PID: 7364	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: Autoit3.exe PID: 7364	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
Click to see the 3 entries

Code function: 1_2_00E64632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

1_2_00E64632

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00E64830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

1_2_00E64830

Source: C:\temp\test\Autoit3.exe

1_2_00E64632

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_03B5B188 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

1_2_03B5B188

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00E50508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

1_2_00E50508

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00E7D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

1_2_00E7D164

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_03B53A74 CreateDesktopA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,WaitForSingleObject,

1_2_03B53A74

Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B743EC NtDuplicateObject,NtClose,	1_2_03B743EC
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B7476C Sleep,TerminateThread,NtClose,NtClose,	1_2_03B7476C
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B744C8 NtQuerySystemInformation,NtDuplicateObject,NtClose,NtClose,NtClose,NtClose,NtClose,NtClose,NtClose,	1_2_03B744C8
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B74420 NtQueryObject,NtQueryObject,	1_2_03B74420
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B74478 NtOpenProcess,	1_2_03B74478
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B4AF84 GetCurrentProcessId,OpenProcess,InitializeProcThreadAttributeList,GetProcessHeap,RtlAllocateHeap,InitializeProcThreadAttributeList,UpdateProcThreadAttribute,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,	1_2_03B4AF84
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B52CF0 BeginPaint,SetBkMode,TextOutA,EndPaint,PostQuitMessage,NtdllDefWindowProc_A,	1_2_03B52CF0
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B4B2A4 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,	1_2_03B4B2A4

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00E542D5: CreateFileW,DeviceIoControl,CloseHandle,

1_2_00E542D5

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00E48F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

1_2_00E48F2E

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00E55778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

1_2_00E55778

Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Code function: 0_3_062C0672	0_3_062C0672
Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Code function: 0_3_0626D7DD	0_3_0626D7DD
Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Code function: 0_3_062674FB	0_3_062674FB
Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Code function: 0_3_062785F7	0_3_062785F7
Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Code function: 0_3_06272296	0_3_06272296
Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Code function: 0_3_062612EC	0_3_062612EC
Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Code function: 0_3_0626BC0E	0_3_0626BC0E
Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Code function: 0_3_06276C1E	0_3_06276C1E
Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Code function: 0_3_062A8A7C	0_3_062A8A7C
Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Code function: 0_3_0626C989	0_3_0626C989
Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Code function: 0_3_0629E9EA	0_3_0629E9EA
Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Code function: 0_3_062C0672	0_3_062C0672
Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Code function: 0_3_0626D7DD	0_3_0626D7DD
Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Code function: 0_3_062674FB	0_3_062674FB
Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Code function: 0_3_062785F7	0_3_062785F7
Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Code function: 0_3_06272296	0_3_06272296
Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Code function: 0_3_062612EC	0_3_062612EC
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00DFB020	1_2_00DFB020
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00DF1663	1_2_00DF1663
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00DF9C80	1_2_00DF9C80
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E123F5	1_2_00E123F5
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E78400	1_2_00E78400
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E26502	1_2_00E26502
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00DFE6F0	1_2_00DFE6F0
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E2265E	1_2_00E2265E
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E1282A	1_2_00E1282A
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E289BF	1_2_00E289BF
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E26A74	1_2_00E26A74
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E70A3A	1_2_00E70A3A
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E00BE0	1_2_00E00BE0
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E4EDB2	1_2_00E4EDB2
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E1CD51	1_2_00E1CD51
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E70EB7	1_2_00E70EB7
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E58E44	1_2_00E58E44
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E26FE6	1_2_00E26FE6
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E133B7	1_2_00E133B7
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00DF94E0	1_2_00DF94E0
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E0D45D	1_2_00E0D45D
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E1F409	1_2_00E1F409
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E116B4	1_2_00E116B4
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00DFF6A0	1_2_00DFF6A0
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E0F628	1_2_00E0F628
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E178C3	1_2_00E178C3
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E1DBA5	1_2_00E1DBA5
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E11BA8	1_2_00E11BA8
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E29CE5	1_2_00E29CE5
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E0DD28	1_2_00E0DD28
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E11FC0	1_2_00E11FC0
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E1BFD6	1_2_00E1BFD6
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B4A79C	1_2_03B4A79C
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B46438	1_2_03B46438
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B5EC00	1_2_03B5EC00
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B6B1B8	1_2_03B6B1B8
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B69BD0	1_2_03B69BD0

Source: Joe Sandbox View

Dropped File: C:\temp\test\Autoit3.exe 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D

Source: C:\temp\test\Autoit3.exe	Code function: String function: 00E01A36 appears 34 times
Source: C:\temp\test\Autoit3.exe	Code function: String function: 03B24904 appears 92 times
Source: C:\temp\test\Autoit3.exe	Code function: String function: 00E10D17 appears 70 times
Source: C:\temp\test\Autoit3.exe	Code function: String function: 03B24394 appears 101 times
Source: C:\temp\test\Autoit3.exe	Code function: String function: 03B521B8 appears 36 times
Source: C:\temp\test\Autoit3.exe	Code function: String function: 00E18B30 appears 42 times
Source: C:\temp\test\Autoit3.exe	Code function: String function: 03B24668 appears 48 times
Source: C:\temp\test\Autoit3.exe	Code function: String function: 03B26980 appears 111 times
Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Code function: String function: 062717A8 appears 39 times
Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Code function: String function: 06268768 appears 48 times

Source: KgpiJLs58m.exe

Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: KgpiJLs58m.exe	Binary or memory string: OriginalFilename vs KgpiJLs58m.exe
Source: KgpiJLs58m.exe, 00000000.00000002.1757967154.00000000026CC000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAutoIt3.exeB vs KgpiJLs58m.exe
Source: KgpiJLs58m.exe, 00000000.00000003.1754632762.0000000006304000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAutoIt3.exeB vs KgpiJLs58m.exe
Source: KgpiJLs58m.exe, 00000000.00000003.1754393629.00000000063E3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAutoIt3.exeB vs KgpiJLs58m.exe
Source: KgpiJLs58m.exe, 00000000.00000002.1760547807.00000000044EC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAutoIt3.exeB vs KgpiJLs58m.exe

Source: KgpiJLs58m.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal80.troj.spyw.evad.winEXE@8/4@0/0

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00E5A6AD GetLastError,FormatMessageW,

1_2_00E5A6AD

Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E48DE9 AdjustTokenPrivileges,CloseHandle,		1_2_00E48DE9
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E49399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		1_2_00E49399

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00E5B976 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

1_2_00E5B976

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00E54148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_00E54148

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00E5C9DA CoInitialize,CoCreateInstance,CoUninitialize,

1_2_00E5C9DA

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00E5443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

1_2_00E5443D

Source: C:\temp\test\Autoit3.exe

File created: C:\Users\user\AppData\Roaming\fFDhBHC

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7428:120:WilError_03

Source: C:\Users\user\Desktop\KgpiJLs58m.exe

File created: c:\temp\test

Jump to behavior

Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\KgpiJLs58m.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: KgpiJLs58m.exe	Virustotal: Detection: 49%
Source: KgpiJLs58m.exe	ReversingLabs: Detection: 50%

Source: KgpiJLs58m.exe	String found in binary or memory: -Helper process exited with failure code: 0x%x
Source: KgpiJLs58m.exe	String found in binary or memory: -HelperRegisterTypeLibrary: StatusCode invalidU
Source: KgpiJLs58m.exe	String found in binary or memory: /InstallOnThisVersion: Invalid MinVersion string
Source: KgpiJLs58m.exe	String found in binary or memory: /LoadInf=

Source: unknown	Process created: C:\Users\user\Desktop\KgpiJLs58m.exe "C:\Users\user\Desktop\KgpiJLs58m.exe"
Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Process created: C:\temp\test\Autoit3.exe "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
Source: C:\temp\test\Autoit3.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\bdfkcgf\hcbhhfk
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domain
Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Process created: C:\temp\test\Autoit3.exe "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\bdfkcgf\hcbhhfk	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domain	Jump to behavior

Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: KgpiJLs58m.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: KgpiJLs58m.exe

Static file information: File size 4256256 > 1048576

Source: KgpiJLs58m.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x258200
Source: KgpiJLs58m.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1aa400

Source: KgpiJLs58m.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00E6C6D9 LoadLibraryA,GetProcAddress,

1_2_00E6C6D9

Source: KgpiJLs58m.exe

Static PE information: real checksum: 0x29fb81 should be: 0x4144b0

Source: KgpiJLs58m.exe

Static PE information: section name: .didata

Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Code function: 0_3_062687AD push ecx; ret	0_3_062687C0
Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Code function: 0_3_062448C2 push esi; ret	0_3_062448C5
Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Code function: 0_3_062448C2 push esi; ret	0_3_062448C5
Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Code function: 0_3_062687AD push ecx; ret	0_3_062687C0
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E1E93F push edi; ret	1_2_00E1E941
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E58A4A push FFFFFF8Bh; iretd	1_2_00E58A4C
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E1EA58 push esi; ret	1_2_00E1EA5A
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E0CBDB push eax; retf	1_2_00E0CBF8
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E18B75 push ecx; ret	1_2_00E18B88
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E1EC33 push esi; ret	1_2_00E1EC35
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E1ED1C push edi; ret	1_2_00E1ED1E
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_0103D049 push 0103D075h; ret	1_2_0103D06D
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_0103D082 push 0103D32Dh; ret	1_2_0103D325
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_0103D301 push 0103D32Dh; ret	1_2_0103D325
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_0103AD1D push eax; ret	1_2_0103AD59
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_010405A9 push 01040731h; ret	1_2_01040729
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_010405B5 push 01040731h; ret	1_2_01040729
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_0103CCB9 push 0103CD0Ah; ret	1_2_0103CD02
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_0103CF01 push 0103CF2Dh; ret	1_2_0103CF25
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_01040735 push 010407A4h; ret	1_2_0104079C
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_01040733 push 010407A4h; ret	1_2_0104079C
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_0103CF39 push 0103CF65h; ret	1_2_0103CF5D
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_0103DFB9 push ecx; mov dword ptr [esp], eax	1_2_0103DFBA
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_01040EA1 push 01040EC7h; ret	1_2_01040EBF
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B743A4 push 03B743D0h; ret	1_2_03B743C8
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B783A0 push 03B783CCh; ret	1_2_03B783C4
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B3C380 push 03B3C3B4h; ret	1_2_03B3C3AC
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B3C388 push 03B3C3B4h; ret	1_2_03B3C3AC
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B783D8 push 03B78404h; ret	1_2_03B783FC
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B78330 push 03B7835Ch; ret	1_2_03B78354
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B78368 push 03B78394h; ret	1_2_03B7838C

Source: C:\Users\user\Desktop\KgpiJLs58m.exe

File created: C:\temp\test\Autoit3.exe

Jump to dropped file

Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E759B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		1_2_00E759B3
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E05EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		1_2_00E05EDA

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00E133B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00E133B7

Source: C:\temp\test\Autoit3.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_03B7C828

1_2_03B7C828

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Autoit3.exe, Autoit3.exe, 00000001.00000002.1805362311.0000000003B21000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1805287853.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1805050705.000000000396C000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: SUPERANTISPYWARE.EXE

Source: C:\temp\test\Autoit3.exe

API coverage: 5.1 %

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_03B7C828

1_2_03B7C828

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Domain FROM Win32_ComputerSystem

Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E54005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00E54005
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E5C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_00E5C2FF
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E5494A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_00E5494A
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E5CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_00E5CD9F
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E5CD14 FindFirstFileW,FindClose,	1_2_00E5CD14
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E5F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00E5F5D8
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E5F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_00E5F735
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E5FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_00E5FA36
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E53CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00E53CE2
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_0103C65D GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	1_2_0103C65D
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B7A584 FindFirstFileW,lstrcmpW,lstrcmpW,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FindNextFileW,FindClose,	1_2_03B7A584
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B28AFC FindFirstFileA,GetLastError,	1_2_03B28AFC
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B289F4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	1_2_03B289F4
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B731F8 FindFirstFileW,FindNextFileW,FindClose,	1_2_03B731F8
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B7BA70 FindFirstFileW,FindNextFileW,FindClose,	1_2_03B7BA70
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B25974 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	1_2_03B25974
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B3BD8C FindFirstFileA,FindNextFileA,FindClose,	1_2_03B3BD8C
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B53D68 FindFirstFileW,FindNextFileW,FindClose,	1_2_03B53D68

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00E05D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_00E05D13

Source: Autoit3.exe, 00000001.00000002.1805050705.000000000396C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Autoit3.exe, Autoit3.exe, 00000001.00000002.1805362311.0000000003B21000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1805287853.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1805050705.000000000396C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: microsoft hyper-v video
Source: Autoit3.exe, 00000001.00000002.1803971308.000000000104A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\temp\test\Autoit3.exe

API call chain: ExitProcess graph end node

graph_1-139153

Source: C:\temp\test\Autoit3.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00E645D5 BlockInput,

1_2_00E645D5

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00E05240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00E05240

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00E25CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_00E25CAC

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00E6C6D9 LoadLibraryA,GetProcAddress,

1_2_00E6C6D9

Source: C:\temp\test\Autoit3.exe	Code function: 1_2_0104925E mov eax, dword ptr fs:[00000030h]	1_2_0104925E
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B480A4 mov eax, dword ptr fs:[00000030h]	1_2_03B480A4
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B4A79C mov eax, dword ptr fs:[00000030h]	1_2_03B4A79C
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B4A79C mov eax, dword ptr fs:[00000030h]	1_2_03B4A79C

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00E488CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

1_2_00E488CD

Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E1A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_00E1A385
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E1A354 SetUnhandledExceptionFilter,		1_2_00E1A354

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_03B4DCB8 CreateProcessA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,

1_2_03B4DCB8

Contains functionality to inject threads in other processes

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_03B4DCB8 CreateProcessA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,

1_2_03B4DCB8

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00E49369 LogonUserW,

1_2_00E49369

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00E05240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00E05240

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00E51AC6 SendInput,keybd_event,

1_2_00E51AC6

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00E551E2 mouse_event,

1_2_00E551E2

Source: C:\Users\user\Desktop\KgpiJLs58m.exe	Process created: C:\temp\test\Autoit3.exe "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\bdfkcgf\hcbhhfk	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domain	Jump to behavior

Source: C:\temp\test\Autoit3.exe

1_2_00E488CD

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00E54F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_00E54F1C

Source: KgpiJLs58m.exe, 00000000.00000002.1757967154.00000000026BE000.00000040.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1754393629.00000000063D5000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1760547807.00000000044DE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: KgpiJLs58m.exe, Autoit3.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\KgpiJLs58m.exe

Code function: 0_3_06268493 cpuid

0_3_06268493

Source: C:\temp\test\Autoit3.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	1_2_0103C835
Source: C:\temp\test\Autoit3.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	1_2_0103C93F
Source: C:\temp\test\Autoit3.exe	Code function: GetLocaleInfoA,	1_2_0103EB19
Source: C:\temp\test\Autoit3.exe	Code function: GetLocaleInfoA,	1_2_0103EACD
Source: C:\temp\test\Autoit3.exe	Code function: GetLocaleInfoA,	1_2_0103CC45
Source: C:\temp\test\Autoit3.exe	Code function: GetLocaleInfoA,GetACP,	1_2_0103FC71
Source: C:\temp\test\Autoit3.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	1_2_03B25B4C
Source: C:\temp\test\Autoit3.exe	Code function: GetLocaleInfoA,	1_2_03B26470
Source: C:\temp\test\Autoit3.exe	Code function: GetLocaleInfoA,GetACP,	1_2_03B2CC88
Source: C:\temp\test\Autoit3.exe	Code function: GetLocaleInfoA,	1_2_03B2B620
Source: C:\temp\test\Autoit3.exe	Code function: GetLocaleInfoA,	1_2_03B2B66C
Source: C:\temp\test\Autoit3.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	1_2_03B25C56

Source: C:\temp\test\Autoit3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\temp\test\Autoit3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\temp\test\Autoit3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID			Jump to behavior
Source: C:\temp\test\Autoit3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID			Jump to behavior

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00E30030 GetLocalTime,__swprintf,

1_2_00E30030

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00E30722 GetUserNameW,

1_2_00E30722

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00E2416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

1_2_00E2416A

Source: C:\temp\test\Autoit3.exe

Code function: 1_2_00E05D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_00E05D13

Source: Autoit3.exe, Autoit3.exe, 00000001.00000002.1805362311.0000000003B21000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1805287853.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1805050705.000000000396C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: Autoit3.exe, Autoit3.exe, 00000001.00000002.1805362311.0000000003B21000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1805287853.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1805050705.000000000396C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: superantispyware.exe

Stealing of Sensitive Information

Yara detected DarkGate

Source: Yara match	File source: 00000001.00000002.1805362311.0000000003B88000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1805287853.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1805050705.000000000396C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Autoit3.exe PID: 7364, type: MEMORYSTR

Yara detected MailPassView

Source: Yara match	File source: 00000001.00000002.1805362311.0000000003B21000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1805287853.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1805050705.000000000396C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Autoit3.exe PID: 7364, type: MEMORYSTR

Source: Autoit3.exe	Binary or memory string: WIN_81
Source: Autoit3.exe	Binary or memory string: WIN_XP
Source: Autoit3.exe	Binary or memory string: WIN_XPe
Source: Autoit3.exe	Binary or memory string: WIN_VISTA
Source: Autoit3.exe	Binary or memory string: WIN_7
Source: Autoit3.exe	Binary or memory string: WIN_8
Source: Autoit3.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected DarkGate

Source: Yara match	File source: 00000001.00000002.1805362311.0000000003B88000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1805287853.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1805050705.000000000396C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Autoit3.exe PID: 7364, type: MEMORYSTR

Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E6696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	1_2_00E6696E
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_00E66E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	1_2_00E66E32
Source: C:\temp\test\Autoit3.exe	Code function: 1_2_03B3CCB4 bind,	1_2_03B3CCB4

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 Create Account	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	55 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	261 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
KgpiJLs58m.exe	49%	Virustotal		Browse
KgpiJLs58m.exe	50%	ReversingLabs	Win32.Trojan.Darkgate

Dropped Files

Source	Detection	Scanner	Label	Link
C:\temp\test\Autoit3.exe	3%	ReversingLabs
C:\temp\test\Autoit3.exe	4%	Virustotal		Browse

Name	Source	Malicious	Reputation
http://www.innosetup.com/	KgpiJLs58m.exe	false	high
http://www.autoitscript.com/autoit3/J	KgpiJLs58m.exe, 00000000.00000002.1757967154.00000000026CC000.00000040.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1754632762.0000000006304000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1754393629.00000000063E3000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1760547807.00000000044EC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000000.1755956330.0000000000EB9000.00000002.00000001.01000000.00000004.sdmp, Autoit3.exe.0.dr	false	high
http://ipinfo.io/ip	Autoit3.exe, Autoit3.exe, 00000001.00000002.1805362311.0000000003B21000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1805287853.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1805050705.000000000396C000.00000004.00001000.00020000.00000000.sdmp	false	high
http://www.autoitscript.com/autoit3/	KgpiJLs58m.exe	false	high
http://www.remobjects.com/ps	KgpiJLs58m.exe	false	high
https://mail.google.com/mail/u/0/#inbox	Autoit3.exe, 00000001.00000002.1805050705.000000000396C000.00000004.00001000.00020000.00000000.sdmp	false	high
https://www.autoitscript.com/autoit3/	KgpiJLs58m.exe, 00000000.00000002.1757967154.00000000026CC000.00000040.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1754632762.0000000006304000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1754393629.00000000063E3000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1760547807.00000000044EC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	false	high
http://ipinfo.io/ipU	Autoit3.exe, 00000001.00000002.1805362311.0000000003B21000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1805287853.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1805050705.000000000396C000.00000004.00001000.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1599696
Start date and time:	2025-01-26 10:18:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	KgpiJLs58m.exe renamed because original name is a hash value
Original Sample Name:	6b6676267c70fbeb3257f0bb9bce1587f0bdec621238eb32dd9f84b2bcd7e3ea.exe
Detection:	MAL
Classification:	mal80.troj.spyw.evad.winEXE@8/4@0/0
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 100 Number of non-executed functions: 316
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Execution Graph export aborted for target KgpiJLs58m.exe, PID 7348 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
04:19:08	API Interceptor	1x Sleep call for process: WMIC.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\temp\test\Autoit3.exe	Notion Setup 4.3.0 (4).exe	Get hash	malicious	DarkGate, MailPassView	Browse
	Notion Setup 4.3.0 (4).exe	Get hash	malicious	DarkGate, MailPassView	Browse
	JiH0aUfOU6.exe	Get hash	malicious	Unknown	Browse
	JiH0aUfOU6.exe	Get hash	malicious	Unknown	Browse
	2YLM6BQ9S3.exe	Get hash	malicious	RedLine	Browse
	sEOELQpFOB.lnk	Get hash	malicious	RedLine	Browse
	ref095vq842r70_classement_atout_france.pdf.lnk.d.lnk	Get hash	malicious	RedLine, SectopRAT	Browse
	payload_1.hta	Get hash	malicious	RedLine	Browse
	fsg5PWtTm2.lnk	Get hash	malicious	RedLine, SectopRAT	Browse
	Whatsapp-GUI.exe	Get hash	malicious	DarkGate, MailPassView	Browse

Created / dropped Files

C:\ProgramData\bdfkcgf\hcbhhfk

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	2.914979271060093
Encrypted:	false
SSDEEP:	3:Qh9eolFl+2KlFlFAn:Q7eY+hf2n
MD5:	6BCC3A71E109CE3BA3A86C0A4B64599A
SHA1:	6FCF197A0DE268743B76690EDA96F587ECEE4146
SHA-256:	A786F0AAC81205BA1BDC87A3EDC60E262D265A86FAF23B72F67AE52F94EBFCDC
SHA-512:	4CB16970C2FEE11D49467CE90210E646A46364BFD402923BE5FF1789421B12B1AA6890438C5819672DE95BA0BE6A6ACE03E5FD49E48A110B8D66DFFD5CBE8B4E
Malicious:	false
Reputation:	low
Preview:	..D.o.m.a.i.n. . .....D.W.x.S.F. . . .....

C:\Users\user\AppData\Roaming\fFDhBHC

Download File

Process:	C:\temp\test\Autoit3.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.628928031846024
Encrypted:	false
SSDEEP:	3:9RkgiKkHzHlGtNGc:Pkn/HzF6NGc
MD5:	7FEE8C10F7D8EF4934CE62547CAA0E69
SHA1:	ECF8981CACA5F8A55451F4EFAA725CD8F6886DA1
SHA-256:	AA819018EA0524D5D4BE4E3DCA78449350E5765CE5DDB3C85D508557A6F0240F
SHA-512:	89690E055A2F9CF48F2643325E7F619BDA42FC5074DDC91B7D085C03C7B92673730CF08170B9D6B36D1FD58E04ADD66D1D042A80EAC8399CBB21B34F64F13897
Malicious:	false
Reputation:	low
Preview:	DAKhGAAEGHHDaAbBAHFbGbeecHhcffED

C:\temp\test\Autoit3.exe

Download File

Process:	C:\Users\user\Desktop\KgpiJLs58m.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	893608
Entropy (8bit):	6.620131693023677
Encrypted:	false
SSDEEP:	12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
MD5:	C56B5F0201A3B3DE53E561FE76912BFD
SHA1:	2A4062E10A5DE813F5688221DBEB3F3FF33EB417
SHA-256:	237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
SHA-512:	195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3% Antivirus: Virustotal, Detection: 4%, Browse
Joe Sandbox View:	Filename: Notion Setup 4.3.0 (4).exe, Detection: malicious, Browse Filename: Notion Setup 4.3.0 (4).exe, Detection: malicious, Browse Filename: JiH0aUfOU6.exe, Detection: malicious, Browse Filename: JiH0aUfOU6.exe, Detection: malicious, Browse Filename: 2YLM6BQ9S3.exe, Detection: malicious, Browse Filename: sEOELQpFOB.lnk, Detection: malicious, Browse Filename: ref095vq842r70_classement_atout_france.pdf.lnk.d.lnk, Detection: malicious, Browse Filename: payload_1.hta, Detection: malicious, Browse Filename: fsg5PWtTm2.lnk, Detection: malicious, Browse Filename: Whatsapp-GUI.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\temp\test\script.a3x

Download File

Process:	C:\Users\user\Desktop\KgpiJLs58m.exe
File Type:	data
Category:	dropped
Size (bytes):	598250
Entropy (8bit):	6.847347226287514
Encrypted:	false
SSDEEP:	12288:hQxqgrQxqgjneQJAvPstG0WtFNXenxmM5yN059S2Ai6IwbLqNKG7tY:ercrjtGXY6enxHyG5uizOo7m
MD5:	B94C5E38BBF4B6EF11E0442CE58C3131
SHA1:	00B5A444BC5E52F7DD9753383317EB2497EC4B38
SHA-256:	037E15B09413722B48802E6268848D0698B9ED468CD447B40E31EFA5CDB3C313
SHA-512:	546C148FAFD8298F79BF0B02C707AB88F5E15B099903ED725D11DF6345F2A73121BB385E5E094A8EF2A165284A760C104CD03B25804CC55B11A6F22B64A90914
Malicious:	false
Reputation:	low
Preview:	P)y............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................P)y......................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.096895677278031
TrID:	Win32 Executable (generic) a (10002005/4) 98.88% Inno Setup installer (109748/4) 1.08% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	KgpiJLs58m.exe
File size:	4'256'256 bytes
MD5:	998cd2e474751b5de344562b4ddb39e2
SHA1:	70ee02a76510b0757e3b26ffd98834f0d259f9d4
SHA256:	6b6676267c70fbeb3257f0bb9bce1587f0bdec621238eb32dd9f84b2bcd7e3ea
SHA512:	e69e703c79e9c151245cef8caaa18b30fc2992c72e98b2e197239eb439837ee3c5d446e99f117f4aec0dc56527fd943949e62bbaadd43e123d83d53ad09f43e7
SSDEEP:	49152:gR/KpmZubPf2S8W2ILeWl+C1pNjWy5Snd0eigXNG/2KyT0aXgkKdOcUP6CVjyusJ:G/jtYLP16y5E04Za1UP6mod
TLSH:	54167D1BB744783FD4AA06338823C6705937BE21B9A2CC5B67F43E0C6F359906B39656
File Content Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	162854445c542180

Static PE Info

General

Entrypoint:	0x65c4a4
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5EC61809 [Thu May 21 05:56:25 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	16c8c7a62c852018ed02e453e144c998

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
push ebx
push esi
push edi
mov eax, 00651408h
call 00007FD158407522h
mov eax, dword ptr [00662788h]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+00000188h]
push FFFFFFECh
push eax
call 00007FD15840B581h
mov edx, dword ptr [00662788h]
mov edx, dword ptr [edx]
mov edx, dword ptr [edx+00000188h]
and eax, FFFFFF7Fh
push eax
push FFFFFFECh
push edx
call 00007FD15840B56Dh
xor eax, eax
push ebp
push 0065C528h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
push 00000001h
call 00007FD15840A8D8h
call 00007FD1586499B3h
mov eax, dword ptr [00651030h]
push eax
push 006510C8h
mov eax, dword ptr [00662788h]
mov eax, dword ptr [eax]
call 00007FD15859B758h
call 00007FD158649A07h
xor eax, eax
pop edx
pop ecx
pop ecx
mov dword ptr fs:[eax], edx
jmp 00007FD158654D5Bh
jmp 00007FD158400298h
call 00007FD15864974Fh
mov eax, 00000001h
call 00007FD158400D81h
call 00007FD1584006DCh
mov eax, dword ptr [00662788h]
mov eax, dword ptr [eax]
mov edx, 0065C6BCh
call 00007FD15859B22Fh
push 00000005h
mov eax, dword ptr [00662788h]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+00000188h]
push eax
call 00007FD15840B296h
mov eax, dword ptr [00662788h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x270000	0x97	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x26b000	0x35d8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x273000	0x1aa248	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x272000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x26b94c	0x848	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x26f000	0x9ee	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2581fc	0x258200	9ce38ee07dc8de6515f5e582039c012f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x25a000	0x26c8	0x2800	367bc90dd8be7c6a1056ad2a82281084	False	0.503125	data	6.119631643767066	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x25d000	0x5a64	0x5c00	c20c3606951695cd5626a53022531398	False	0.40281080163043476	data	5.055173307610014	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x263000	0x780c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x26b000	0x35d8	0x3600	6cbfeeac8d17ca3b356e9c16e6f19fc1	False	0.33622685185185186	data	5.280395234482991	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x26f000	0x9ee	0xa00	2726dff14c86e88d2aaa4303cf2dc681	False	0.36328125	data	4.360393246158077	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x270000	0x97	0x200	8c377a4128fcc7899b263e28899a337b	False	0.251953125	data	1.7456444612923019	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x271000	0x44	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x272000	0x5d	0x200	be59fdae8b4a80179fdb6b9e7588da9e	False	0.189453125	data	1.4090774709019303	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x273000	0x1aa248	0x1aa400	4f0490ef60b5eb8b64d8a251779511c0	False	0.7045408724340176	data	7.642057868934714	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
EKYXKPA62BJZH3QNRUC	0x273dd8	0x177c08	data			0.7448005676269531
RT_CURSOR	0x3eb9e0	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x3ebb14	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x3ebc48	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x3ebd7c	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x3ebeb0	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x3ebfe4	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x3ec118	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_BITMAP	0x3ec24c	0xd28	Device independent bitmap graphic, 48 x 48 x 8, image size 0, resolution 3780 x 3780 px/m, 256 important colors			0.16508313539192399
RT_BITMAP	0x3ecf74	0x32a	Device independent bitmap graphic, 16 x 16 x 24, image size 770, resolution 3779 x 3779 px/m			0.2074074074074074
RT_ICON	0x3ed2a0	0x2a47	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9626720872216575
RT_ICON	0x3efce8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m	English	United States	0.07821187743996215
RT_ICON	0x400510	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 2835 x 2835 px/m	English	United States	0.10350536052133698
RT_ICON	0x4099b8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m	English	United States	0.15653046764289089
RT_ICON	0x40dbe0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m	English	United States	0.21597510373443984
RT_ICON	0x410188	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m	English	United States	0.3219981238273921
RT_ICON	0x411230	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 2835 x 2835 px/m	English	United States	0.42745901639344264
RT_ICON	0x411bb8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m	English	United States	0.5966312056737588
RT_STRING	0x412020	0x6c	data			0.6018518518518519
RT_STRING	0x41208c	0x250	data			0.46790540540540543
RT_STRING	0x4122dc	0x204	data			0.46705426356589147
RT_STRING	0x4124e0	0x3ec	data			0.3894422310756972
RT_STRING	0x4128cc	0x410	data			0.41634615384615387
RT_STRING	0x412cdc	0x160	data			0.59375
RT_STRING	0x412e3c	0xd0	data			0.6778846153846154
RT_STRING	0x412f0c	0x2f4	data			0.43253968253968256
RT_STRING	0x413200	0x3fc	data			0.37941176470588234
RT_STRING	0x4135fc	0x49c	data			0.35338983050847456
RT_STRING	0x413a98	0x29c	data			0.31736526946107785
RT_STRING	0x413d34	0x3f0	data			0.43154761904761907
RT_STRING	0x414124	0x438	data			0.3731481481481482
RT_STRING	0x41455c	0x3ac	data			0.3861702127659574
RT_STRING	0x414908	0x404	data			0.3764591439688716
RT_STRING	0x414d0c	0x2ac	data			0.38742690058479534
RT_STRING	0x414fb8	0xb8	data			0.657608695652174
RT_STRING	0x415070	0xd0	data			0.6201923076923077
RT_STRING	0x415140	0x354	data			0.4284037558685446
RT_STRING	0x415494	0x3ac	data			0.3425531914893617
RT_STRING	0x415840	0x354	data			0.3826291079812207
RT_STRING	0x415b94	0x2c0	data			0.41051136363636365
RT_RCDATA	0x415e54	0x10	data			1.5
RT_RCDATA	0x415e64	0x1800	PE32+ executable (console) x86-64, for MS Windows	English	United States	0.3924153645833333
RT_RCDATA	0x417664	0xac4	data			0.5446298984034833
RT_RCDATA	0x418128	0x147	Delphi compiled form 'TMainForm'			0.746177370030581
RT_RCDATA	0x418270	0x480	Delphi compiled form 'TNewDiskForm'			0.5034722222222222
RT_RCDATA	0x4186f0	0x400	Delphi compiled form 'TSelectFolderForm'			0.5087890625
RT_RCDATA	0x418af0	0x4b5	Delphi compiled form 'TSelectLanguageForm'			0.5004149377593361
RT_RCDATA	0x418fa8	0x7ff	Delphi compiled form 'TUninstallProgressForm'			0.4054714215925745
RT_RCDATA	0x4197a8	0x55c	Delphi compiled form 'TUninstSharedFileForm'			0.41690962099125367
RT_RCDATA	0x419d04	0x2ac9	Delphi compiled form 'TWizardForm'			0.19811923673879303
RT_GROUP_CURSOR	0x41c7d0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x41c7e4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x41c7f8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x41c80c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x41c820	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x41c834	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x41c848	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x41c85c	0x76	data	English	United States	0.7457627118644068
RT_VERSION	0x41c8d4	0x24c	data	English	United States	0.47959183673469385
RT_MANIFEST	0x41cb20	0x726	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4005464480874317

Imports

DLL	Import
mpr.dll	WNetEnumResourceW, WNetGetUniversalNameW, WNetGetConnectionW, WNetCloseEnum, WNetOpenEnumW
comdlg32.dll	GetSaveFileNameW, GetOpenFileNameW
comctl32.dll	FlatSB_SetScrollInfo, InitCommonControls, ImageList_DragMove, ImageList_Destroy, _TrackMouseEvent, ImageList_DragShowNolock, ImageList_Add, FlatSB_SetScrollProp, ImageList_GetDragImage, ImageList_Create, ImageList_EndDrag, ImageList_DrawEx, ImageList_SetImageCount, FlatSB_GetScrollPos, FlatSB_SetScrollPos, InitializeFlatSB, FlatSB_GetScrollInfo, ImageList_Write, ImageList_SetBkColor, ImageList_GetBkColor, ImageList_BeginDrag, ImageList_GetIcon, ImageList_GetImageCount, ImageList_DragEnter, ImageList_GetIconSize, ImageList_SetIconSize, ImageList_Read, ImageList_DragLeave, ImageList_Draw, ImageList_Remove
shell32.dll	SHBrowseForFolderW, ExtractIconW, SHGetMalloc, SHGetFileInfoW, SHChangeNotify, Shell_NotifyIconW, ShellExecuteW, SHGetPathFromIDListW, ShellExecuteExW
user32.dll	CopyImage, CreateWindowExW, GetMenuItemInfoW, SetMenuItemInfoW, DefFrameProcW, GetDCEx, GetMessageW, PeekMessageW, MonitorFromWindow, GetDlgCtrlID, ScrollWindowEx, SetTimer, WindowFromPoint, BeginPaint, RegisterClipboardFormatW, FrameRect, MapVirtualKeyW, OffsetRect, IsWindowUnicode, RegisterWindowMessageW, FillRect, GetMenuStringW, DispatchMessageW, SendMessageA, DefMDIChildProcW, EnumWindows, GetClassInfoW, GetSystemMenu, WaitForInputIdle, ShowOwnedPopups, GetScrollRange, GetScrollPos, SetScrollPos, GetActiveWindow, SetActiveWindow, DrawEdge, InflateRect, GetKeyboardLayoutList, OemToCharBuffA, LoadBitmapW, DrawFocusRect, EnumChildWindows, GetScrollBarInfo, SendNotifyMessageW, ReleaseCapture, UnhookWindowsHookEx, LoadCursorW, GetCapture, SetCapture, CreatePopupMenu, ScrollWindow, ShowCaret, GetMenuItemID, GetLastActivePopup, CharLowerBuffW, GetSystemMetrics, SetWindowLongW, PostMessageW, DrawMenuBar, SetParent, IsZoomed, CharUpperBuffW, GetClientRect, IsChild, ClientToScreen, SetWindowPlacement, IsIconic, CallNextHookEx, GetMonitorInfoW, ShowWindow, CheckMenuItem, CharUpperW, DefWindowProcW, GetForegroundWindow, SetForegroundWindow, GetWindowTextW, EnableWindow, DestroyWindow, IsDialogMessageW, EndMenu, RegisterClassW, CharNextW, GetWindowThreadProcessId, RedrawWindow, GetDC, GetFocus, SetFocus, EndPaint, ExitWindowsEx, ReleaseDC, MsgWaitForMultipleObjectsEx, LoadKeyboardLayoutW, GetClassLongW, ActivateKeyboardLayout, GetParent, CharToOemBuffA, DrawTextW, SetScrollRange, InsertMenuItemW, PeekMessageA, GetPropW, SetClassLongW, MessageBoxW, MessageBeep, SetPropW, SetRectEmpty, UpdateWindow, RemovePropW, GetSubMenu, MsgWaitForMultipleObjects, DestroyMenu, DestroyIcon, SetWindowsHookExW, IsWindowVisible, DispatchMessageA, UnregisterClassW, GetTopWindow, SendMessageW, AdjustWindowRectEx, DrawIcon, IsWindow, EnumThreadWindows, InvalidateRect, GetKeyboardState, DrawFrameControl, ScreenToClient, SendMessageTimeoutW, BringWindowToTop, SetCursor, CreateIcon, CreateMenu, LoadStringW, CharLowerW, SetWindowPos, SetWindowRgn, GetMenuItemCount, RemoveMenu, AppendMenuW, GetSysColorBrush, GetKeyboardLayoutNameW, GetWindowDC, TranslateMessage, DrawTextExW, MapWindowPoints, EnumDisplayMonitors, CallWindowProcW, DestroyCursor, ReplyMessage, GetScrollInfo, SetWindowTextW, GetMessageExtraInfo, EnableScrollBar, GetSysColor, TrackPopupMenu, DrawIconEx, PostQuitMessage, GetClassNameW, ShowScrollBar, EnableMenuItem, GetIconInfo, GetMessagePos, SetScrollInfo, GetKeyNameTextW, GetDesktopWindow, GetCursorPos, SetCursorPos, HideCaret, GetMenu, GetMenuState, SetMenu, SetRect, GetKeyState, FindWindowExW, MonitorFromPoint, SystemParametersInfoW, LoadIconW, GetCursor, GetWindow, GetWindowLongW, GetWindowRect, InsertMenuW, KillTimer, WaitMessage, IsWindowEnabled, IsDialogMessageA, TranslateMDISysAccel, GetWindowPlacement, FindWindowW, DeleteMenu, GetKeyboardLayout
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
oleaut32.dll	SafeArrayPutElement, LoadTypeLib, GetErrorInfo, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, SafeArrayCreate, SafeArrayGetElement, GetActiveObject, SysAllocStringLen, SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, VariantCopy, RegisterTypeLib, VariantChangeType, VariantCopyInd
advapi32.dll	RegSetValueExW, RegEnumKeyExW, AdjustTokenPrivileges, OpenThreadToken, GetUserNameW, RegDeleteKeyW, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegQueryInfoKeyW, AllocateAndInitializeSid, FreeSid, EqualSid, RegDeleteValueW, RegFlushKey, RegQueryValueExW, RegEnumValueW, GetTokenInformation, InitializeSecurityDescriptor, RegCloseKey, RegCreateKeyExW, SetSecurityDescriptorDacl
netapi32.dll	NetWkstaGetInfo, NetApiBufferFree
kernel32.dll	SetFileAttributesW, SetFileTime, GetACP, GetExitCodeProcess, IsBadWritePtr, CloseHandle, LocalFree, GetCurrentProcessId, SizeofResource, VirtualProtect, QueryPerformanceFrequency, FindNextFileW, GetFullPathNameW, VirtualFree, ExitProcess, HeapAlloc, WriteProfileStringW, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, FileTimeToLocalFileTime, GetModuleHandleW, FreeLibrary, HeapDestroy, CompareFileTime, ReadFile, CreateProcessW, TransactNamedPipe, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, OpenMutexW, CreateThread, CompareStringW, CopyFileW, CreateMutexW, LoadLibraryA, ResetEvent, MulDiv, FreeResource, GetDriveTypeW, GetVersion, RaiseException, MoveFileW, GlobalAddAtomW, GetSystemTimeAsFileTime, FormatMessageW, OpenProcess, SwitchToThread, GetExitCodeThread, GetCurrentThread, GetLogicalDrives, LocalFileTimeToFileTime, SetNamedPipeHandleState, LoadLibraryExW, TerminateProcess, LockResource, FileTimeToSystemTime, GetShortPathNameW, GetCurrentThreadId, UnhandledExceptionFilter, MoveFileExW, VirtualQuery, GlobalFindAtomW, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, ReleaseMutex, FlushFileBuffers, LoadResource, SuspendThread, GetTickCount, WritePrivateProfileStringW, GetFileSize, GetStartupInfoW, GlobalDeleteAtom, GetFileAttributesW, GetCurrentDirectoryW, SetCurrentDirectoryW, InitializeCriticalSection, GetThreadPriority, GetCurrentProcess, SetThreadPriority, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, DeviceIoControl, GetDiskFreeSpaceW, VerSetConditionMask, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, lstrcmpW, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetEnvironmentVariableW, GetLocalTime, WaitForSingleObject, WriteFile, CreateNamedPipeW, ExitThread, DeleteCriticalSection, GetDateFormatW, TlsGetValue, SetErrorMode, GetComputerNameW, IsValidLocale, TlsSetValue, CreateDirectoryW, GetOverlappedResult, GetSystemDefaultUILanguage, EnumCalendarInfoW, GetProfileStringW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, IsDBCSLeadByte, CreateEventW, GetPrivateProfileStringW, WaitForMultipleObjectsEx, GetThreadLocale, SetThreadLocale
ole32.dll	StgCreateDocfileOnILockBytes, CoCreateInstance, CLSIDFromString, CoUninitialize, IsEqualGUID, OleInitialize, CoFreeUnusedLibraries, CreateILockBytesOnHGlobal, CLSIDFromProgID, OleUninitialize, CoDisconnectObject, CoInitialize, CoTaskMemFree, CoTaskMemAlloc, StringFromCLSID
gdi32.dll	Arc, Pie, SetBkMode, SelectPalette, CreateCompatibleBitmap, ExcludeClipRect, RectVisible, SetWindowOrgEx, MaskBlt, AngleArc, Chord, SetTextColor, StretchBlt, SetDIBits, SetViewportOrgEx, CreateRectRgn, RealizePalette, SetDIBColorTable, GetDIBColorTable, RoundRect, RestoreDC, SetRectRgn, GetTextMetricsW, RemoveFontResourceW, GetWindowOrgEx, CreatePalette, CreateBrushIndirect, PatBlt, LineDDA, PolyBezierTo, GetStockObject, CreateSolidBrush, Polygon, Rectangle, MoveToEx, DeleteDC, SaveDC, BitBlt, Ellipse, FrameRgn, GetDeviceCaps, GetBitmapBits, GetTextExtentPoint32W, GetClipBox, Polyline, IntersectClipRect, GetSystemPaletteEntries, CreateBitmap, AddFontResourceW, CreateDIBitmap, GetStretchBltMode, CreateDIBSection, CreatePenIndirect, SetStretchBltMode, GetDIBits, CreateFontIndirectW, PolyBezier, LineTo, GetRgnBox, EnumFontsW, CreateHalftonePalette, DeleteObject, SelectObject, ExtFloodFill, UnrealizeObject, SetBkColor, CreateCompatibleDC, GetObjectW, GetBrushOrgEx, GetCurrentPositionEx, SetROP2, GetTextExtentPointW, ExtTextOutW, SetBrushOrgEx, GetPixel, ArcTo, GdiFlush, SetPixel, EnumFontFamiliesExW, GetPaletteEntries

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x4aefc0
__dbk_fcall_wrapper	2	0x40eb68
dbkFCallWrapperAddr	1	0x66663c

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	04:19:04
Start date:	26/01/2025
Path:	C:\Users\user\Desktop\KgpiJLs58m.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\KgpiJLs58m.exe"
Imagebase:	0x400000
File size:	4'256'256 bytes
MD5 hash:	998CD2E474751B5DE344562B4DDB39E2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:19:05
Start date:	26/01/2025
Path:	C:\temp\test\Autoit3.exe
Wow64 process (32bit):	true
Commandline:	"c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
Imagebase:	0xdf0000
File size:	893'608 bytes
MD5 hash:	C56B5F0201A3B3DE53E561FE76912BFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000001.00000002.1805362311.0000000003B88000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.1805362311.0000000003B21000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.1805287853.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000001.00000002.1805287853.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.1805050705.000000000396C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000001.00000002.1805050705.000000000396C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 3%, ReversingLabs Detection: 4%, Virustotal, Browse
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:19:07
Start date:	26/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\bdfkcgf\hcbhhfk
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:19:07
Start date:	26/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:19:07
Start date:	26/01/2025
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic ComputerSystem get domain
Imagebase:	0x890000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Source: KgpiJLs58m.exe, 00000000.00000002.1757967154.00000000026CC000.00000040.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1754632762.0000000006304000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1754393629.00000000063E3000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1760547807.00000000044EC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: KgpiJLs58m.exe, 00000000.00000002.1757967154.00000000026CC000.00000040.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1754632762.0000000006304000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1754393629.00000000063E3000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1760547807.00000000044EC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: KgpiJLs58m.exe, 00000000.00000002.1757967154.00000000026CC000.00000040.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1754632762.0000000006304000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1754393629.00000000063E3000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1760547807.00000000044EC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: KgpiJLs58m.exe, 00000000.00000002.1757967154.00000000026CC000.00000040.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1754632762.0000000006304000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1754393629.00000000063E3000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1760547807.00000000044EC000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1765713280.000000000631A000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: Autoit3.exe, Autoit3.exe, 00000001.00000002.1805362311.0000000003B21000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1805287853.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1805050705.000000000396C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ipinfo.io/ip
Source: Autoit3.exe, 00000001.00000002.1805362311.0000000003B21000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1805287853.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1805050705.000000000396C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ipinfo.io/ipU
Source: KgpiJLs58m.exe, 00000000.00000002.1757967154.00000000026CC000.00000040.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1754632762.0000000006304000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1754393629.00000000063E3000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1760547807.00000000044EC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: KgpiJLs58m.exe, 00000000.00000002.1757967154.00000000026CC000.00000040.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1754632762.0000000006304000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1754393629.00000000063E3000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1760547807.00000000044EC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: KgpiJLs58m.exe, 00000000.00000002.1757967154.00000000026CC000.00000040.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1754632762.0000000006304000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1754393629.00000000063E3000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1760547807.00000000044EC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: KgpiJLs58m.exe, 00000000.00000002.1757967154.00000000026CC000.00000040.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1754632762.0000000006304000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1754393629.00000000063E3000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1760547807.00000000044EC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: KgpiJLs58m.exe, 00000000.00000002.1757967154.00000000026CC000.00000040.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1754632762.0000000006304000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1754393629.00000000063E3000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1760547807.00000000044EC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: KgpiJLs58m.exe	String found in binary or memory: http://www.autoitscript.com/autoit3/
Source: KgpiJLs58m.exe, 00000000.00000002.1757967154.00000000026CC000.00000040.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1754632762.0000000006304000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1754393629.00000000063E3000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1760547807.00000000044EC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000000.1755956330.0000000000EB9000.00000002.00000001.01000000.00000004.sdmp, Autoit3.exe.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: KgpiJLs58m.exe	String found in binary or memory: http://www.innosetup.com/
Source: KgpiJLs58m.exe	String found in binary or memory: http://www.remobjects.com/ps
Source: Autoit3.exe, 00000001.00000002.1805050705.000000000396C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/u/0/#inbox
Source: KgpiJLs58m.exe, 00000000.00000002.1757967154.00000000026CC000.00000040.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1754632762.0000000006304000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1754393629.00000000063E3000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1760547807.00000000044EC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Autoit3.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: KgpiJLs58m.exe, 00000000.00000002.1757967154.00000000026CC000.00000040.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1754632762.0000000006304000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1754393629.00000000063E3000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1760547807.00000000044EC000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1765713280.000000000631A000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Source: KgpiJLs58m.exe	Virustotal: Detection: 49%			Perma Link
Source: KgpiJLs58m.exe	ReversingLabs: Detection: 50%

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report KgpiJLs58m.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\bdfkcgf\hcbhhfk

C:\Users\user\AppData\Roaming\fFDhBHC

C:\temp\test\Autoit3.exe

C:\temp\test\script.a3x

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Windows Analysis Report
KgpiJLs58m.exe