Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
KgpiJLs58m.exe

Overview

General Information

Sample name:KgpiJLs58m.exe
renamed because original name is a hash value
Original sample name:6b6676267c70fbeb3257f0bb9bce1587f0bdec621238eb32dd9f84b2bcd7e3ea.exe
Analysis ID:1599696
MD5:998cd2e474751b5de344562b4ddb39e2
SHA1:70ee02a76510b0757e3b26ffd98834f0d259f9d4
SHA256:6b6676267c70fbeb3257f0bb9bce1587f0bdec621238eb32dd9f84b2bcd7e3ea
Tags:155-138-149-77exeuser-JAMESWT_MHT
Infos:

Detection

DarkGate, MailPassView
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected DarkGate
Yara detected MailPassView
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the product ID of Windows
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • KgpiJLs58m.exe (PID: 7320 cmdline: "C:\Users\user\Desktop\KgpiJLs58m.exe" MD5: 998CD2E474751B5DE344562B4DDB39E2)
    • Autoit3.exe (PID: 7348 cmdline: "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x MD5: C56B5F0201A3B3DE53E561FE76912BFD)
      • cmd.exe (PID: 7388 cmdline: "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\ccheffe\beecdga MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7436 cmdline: wmic ComputerSystem get domain MD5: E2DE6500DE1148C7F6027AD50AC8B891)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DarkGateFirst documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate

Malware Configuration

Threatname: DarkGate

{"startup_persistence": true, "C2 url": "155.138.149.77", "check_ram": false, "crypter_rawstub": "DarkGate", "crypter_dll": "R0ijS0qCVITtS0e6xeZ", "crypter_au3": 6, "flag_14": true, "crypto_key": 80, "flag_32": false, "anti_vm": true, "min_disk": false, "flag_18": 100, "anti_analysis": true, "min_ram": false, "flag_19": 4096, "check_disk": false, "flag_21": false, "flag_23": true, "flag_31": false, "flag_24": "N-traff", "flag_25": "user1", "flag_26": false, "flag_27": "sDcGdADE", "flag_28": false, "flag_29": 2, "flag_35": false}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1835519378.00000000047B1000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000001.00000002.1835519378.0000000004818000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_DarkGateYara detected DarkGateJoe Security
      00000001.00000002.1835049410.00000000045FC000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        00000001.00000002.1835049410.00000000045FC000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DarkGateYara detected DarkGateJoe Security
          00000001.00000002.1835400619.00000000046B0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            Click to see the 3 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000001.00000002.1835687862.0000000004B10000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: DarkGate {"startup_persistence": true, "C2 url": "155.138.149.77", "check_ram": false, "crypter_rawstub": "DarkGate", "crypter_dll": "R0ijS0qCVITtS0e6xeZ", "crypter_au3": 6, "flag_14": true, "crypto_key": 80, "flag_32": false, "anti_vm": true, "min_disk": false, "flag_18": 100, "anti_analysis": true, "min_ram": false, "flag_19": 4096, "check_disk": false, "flag_21": false, "flag_23": true, "flag_31": false, "flag_24": "N-traff", "flag_25": "user1", "flag_26": false, "flag_27": "sDcGdADE", "flag_28": false, "flag_29": 2, "flag_35": false}
            Multi AV Scanner detection for submitted file
            Source: KgpiJLs58m.exeReversingLabs: Detection: 47%
            Source: KgpiJLs58m.exeVirustotal: Detection: 50%Perma Link
            Source: KgpiJLs58m.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
            Source: KgpiJLs58m.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_0453411C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_0453411C
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BC4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_00BC4005
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BCC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_00BCC2FF
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BC494A GetFileAttributesW,FindFirstFileW,FindClose,1_2_00BC494A
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BCCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_00BCCD9F
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BCCD14 FindFirstFileW,FindClose,1_2_00BCCD14
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BCF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00BCF5D8
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BCF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00BCF735
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BCFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_00BCFA36
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BC3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_00BC3CE2
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0188C705 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,1_2_0188C705
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0480A584 FindFirstFileW,lstrcmpW,lstrcmpW,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FindNextFileW,FindClose,1_2_0480A584
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_047B89F4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,1_2_047B89F4
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_047B8AFC FindFirstFileA,GetLastError,1_2_047B8AFC
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_048031F8 FindFirstFileW,FindNextFileW,FindClose,1_2_048031F8
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_047E3D68 FindFirstFileW,FindNextFileW,FindClose,1_2_047E3D68
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_047CBD8C FindFirstFileA,FindNextFileA,FindClose,1_2_047CBD8C
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_047B5974 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,1_2_047B5974
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0480BA70 FindFirstFileW,FindNextFileW,FindClose,1_2_0480BA70

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorIPs: 155.138.149.77
            Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BD29BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,1_2_00BD29BA
            Source: KgpiJLs58m.exe, 00000000.00000003.1780521494.0000000006414000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1786900603.00000000027DC000.00000040.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1780332430.00000000064F3000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1791456220.00000000045FC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
            Source: KgpiJLs58m.exe, 00000000.00000003.1780521494.0000000006414000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1786900603.00000000027DC000.00000040.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1780332430.00000000064F3000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1791456220.00000000045FC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
            Source: KgpiJLs58m.exe, 00000000.00000003.1780521494.0000000006414000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1786900603.00000000027DC000.00000040.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1780332430.00000000064F3000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1791456220.00000000045FC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
            Source: KgpiJLs58m.exe, 00000000.00000003.1780521494.0000000006414000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1792846371.000000000642A000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1786900603.00000000027DC000.00000040.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1780332430.00000000064F3000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1791456220.00000000045FC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
            Source: Autoit3.exe, Autoit3.exe, 00000001.00000002.1835049410.00000000045FC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1835519378.00000000047B1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1835400619.00000000046B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.io/ip
            Source: Autoit3.exe, 00000001.00000002.1835049410.00000000045FC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1835519378.00000000047B1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1835400619.00000000046B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.io/ipU
            Source: KgpiJLs58m.exe, 00000000.00000003.1780521494.0000000006414000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1786900603.00000000027DC000.00000040.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1780332430.00000000064F3000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1791456220.00000000045FC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
            Source: KgpiJLs58m.exe, 00000000.00000003.1780521494.0000000006414000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1786900603.00000000027DC000.00000040.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1780332430.00000000064F3000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1791456220.00000000045FC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
            Source: KgpiJLs58m.exe, 00000000.00000003.1780521494.0000000006414000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1786900603.00000000027DC000.00000040.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1780332430.00000000064F3000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1791456220.00000000045FC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
            Source: KgpiJLs58m.exe, 00000000.00000003.1780521494.0000000006414000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1786900603.00000000027DC000.00000040.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1780332430.00000000064F3000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1791456220.00000000045FC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
            Source: KgpiJLs58m.exe, 00000000.00000003.1780521494.0000000006414000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1786900603.00000000027DC000.00000040.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1780332430.00000000064F3000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1791456220.00000000045FC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
            Source: KgpiJLs58m.exeString found in binary or memory: http://www.autoitscript.com/autoit3/
            Source: KgpiJLs58m.exe, 00000000.00000003.1780521494.0000000006414000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1786900603.00000000027DC000.00000040.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1780332430.00000000064F3000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1791456220.00000000045FC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000000.1781728446.0000000000C29000.00000002.00000001.01000000.00000004.sdmp, Autoit3.exe.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: KgpiJLs58m.exeString found in binary or memory: http://www.innosetup.com/
            Source: KgpiJLs58m.exeString found in binary or memory: http://www.remobjects.com/ps
            Source: Autoit3.exe, 00000001.00000002.1835400619.00000000046B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/u/0/#inbox
            Source: KgpiJLs58m.exe, 00000000.00000003.1780521494.0000000006414000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1786900603.00000000027DC000.00000040.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1780332430.00000000064F3000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1791456220.00000000045FC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: https://www.autoitscript.com/autoit3/
            Source: Autoit3.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/0
            Source: KgpiJLs58m.exe, 00000000.00000003.1780521494.0000000006414000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1792846371.000000000642A000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1786900603.00000000027DC000.00000040.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1780332430.00000000064F3000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1791456220.00000000045FC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/06
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BD4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,1_2_00BD4632
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BD4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,1_2_00BD4830
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BD4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,1_2_00BD4632
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_047EB188 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,1_2_047EB188
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BC0508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,1_2_00BC0508
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BED164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,1_2_00BED164
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_047E3A74 CreateDesktopA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,WaitForSingleObject,1_2_047E3A74
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_048044C8 NtQuerySystemInformation,NtDuplicateObject,NtClose,NtClose,NtClose,NtClose,NtClose,NtClose,NtClose,1_2_048044C8
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_04804420 NtQueryObject,NtQueryObject,1_2_04804420
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_04804478 NtOpenProcess,1_2_04804478
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0480476C Sleep,TerminateThread,NtClose,NtClose,1_2_0480476C
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_048043EC NtDuplicateObject,NtClose,1_2_048043EC
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_047E2CF0 BeginPaint,SetBkMode,TextOutA,EndPaint,PostQuitMessage,NtdllDefWindowProc_A,1_2_047E2CF0
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_047DAF84 GetCurrentProcessId,OpenProcess,InitializeProcThreadAttributeList,GetProcessHeap,RtlAllocateHeap,InitializeProcThreadAttributeList,UpdateProcThreadAttribute,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,1_2_047DAF84
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_047DB2A4 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,1_2_047DB2A4
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BC42D5: CreateFileW,DeviceIoControl,CloseHandle,1_2_00BC42D5
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BB8F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,1_2_00BB8F2E
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BC5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,1_2_00BC5778
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_063D06720_3_063D0672
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_0637D7DD0_3_0637D7DD
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_063774FB0_3_063774FB
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_063885F70_3_063885F7
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_063822960_3_06382296
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_063712EC0_3_063712EC
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_06386C1E0_3_06386C1E
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_0637BC0E0_3_0637BC0E
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_063B8A7C0_3_063B8A7C
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_0637C9890_3_0637C989
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_063AE9EA0_3_063AE9EA
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_0455A6540_2_0455A654
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_0456466A0_2_0456466A
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_0455A23C0_2_0455A23C
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_045662390_2_04566239
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_045723790_2_04572379
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_045563BC0_2_045563BC
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_0456ACF20_2_0456ACF2
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_04546D840_2_04546D84
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_0455AEBE0_2_0455AEBE
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_045C0A940_2_045C0A94
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_0455AA890_2_0455AA89
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_0456EB960_2_0456EB96
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_045974460_2_04597446
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_045A14D80_2_045A14D8
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_045B954B0_2_045B954B
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_0456F67A0_2_0456F67A
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_045436B40_2_045436B4
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_045710530_2_04571053
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_045B90CE0_2_045B90CE
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_0456F1080_2_0456F108
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_045492740_2_04549274
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_045653E50_2_045653E5
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_04539CF70_2_04539CF7
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_04559D480_2_04559D48
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_04547D340_2_04547D34
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B6B0201_2_00B6B020
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B616631_2_00B61663
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B69C801_2_00B69C80
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B823F51_2_00B823F5
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BE84001_2_00BE8400
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B965021_2_00B96502
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B6E6F01_2_00B6E6F0
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B9265E1_2_00B9265E
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B8282A1_2_00B8282A
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B989BF1_2_00B989BF
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BE0A3A1_2_00BE0A3A
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B96A741_2_00B96A74
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B70BE01_2_00B70BE0
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BBEDB21_2_00BBEDB2
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B8CD511_2_00B8CD51
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BE0EB71_2_00BE0EB7
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BC8E441_2_00BC8E44
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B96FE61_2_00B96FE6
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B833B71_2_00B833B7
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B694E01_2_00B694E0
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B8F4091_2_00B8F409
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B7D45D1_2_00B7D45D
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B816B41_2_00B816B4
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B6F6A01_2_00B6F6A0
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B7F6281_2_00B7F628
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B878C31_2_00B878C3
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B81BA81_2_00B81BA8
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B8DBA51_2_00B8DBA5
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B99CE51_2_00B99CE5
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B7DD281_2_00B7DD28
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B8BFD61_2_00B8BFD6
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B81FC01_2_00B81FC0
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_047D64381_2_047D6438
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_047DA79C1_2_047DA79C
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_047EEC001_2_047EEC00
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_047FB1B81_2_047FB1B8
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_047F9BD01_2_047F9BD0
            Source: Joe Sandbox ViewDropped File: C:\temp\test\Autoit3.exe 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
            Source: C:\temp\test\Autoit3.exeCode function: String function: 047B4394 appears 101 times
            Source: C:\temp\test\Autoit3.exeCode function: String function: 047B4904 appears 92 times
            Source: C:\temp\test\Autoit3.exeCode function: String function: 00B71A36 appears 34 times
            Source: C:\temp\test\Autoit3.exeCode function: String function: 047E21B8 appears 36 times
            Source: C:\temp\test\Autoit3.exeCode function: String function: 00B88B30 appears 42 times
            Source: C:\temp\test\Autoit3.exeCode function: String function: 00B80D17 appears 70 times
            Source: C:\temp\test\Autoit3.exeCode function: String function: 047B4668 appears 48 times
            Source: C:\temp\test\Autoit3.exeCode function: String function: 047B6980 appears 111 times
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: String function: 06378768 appears 32 times
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: String function: 045611C4 appears 32 times
            Source: KgpiJLs58m.exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
            Source: KgpiJLs58m.exeBinary or memory string: OriginalFilename vs KgpiJLs58m.exe
            Source: KgpiJLs58m.exe, 00000000.00000003.1780521494.0000000006414000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs KgpiJLs58m.exe
            Source: KgpiJLs58m.exe, 00000000.00000002.1786900603.00000000027DC000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs KgpiJLs58m.exe
            Source: KgpiJLs58m.exe, 00000000.00000003.1780332430.00000000064F3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs KgpiJLs58m.exe
            Source: KgpiJLs58m.exe, 00000000.00000002.1791456220.00000000045FC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs KgpiJLs58m.exe
            Source: KgpiJLs58m.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
            Source: classification engineClassification label: mal92.troj.spyw.evad.winEXE@8/4@0/1
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BCA6AD GetLastError,FormatMessageW,1_2_00BCA6AD
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BB8DE9 AdjustTokenPrivileges,CloseHandle,1_2_00BB8DE9
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BB9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,1_2_00BB9399
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BCB976 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,1_2_00BCB976
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BC4148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,1_2_00BC4148
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BCC9DA CoInitialize,CoCreateInstance,CoUninitialize,1_2_00BCC9DA
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BC443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,1_2_00BC443D
            Source: C:\temp\test\Autoit3.exeFile created: C:\Users\user\AppData\Roaming\EDAdhKaJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7396:120:WilError_03
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeFile created: c:\temp\testJump to behavior
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\temp\test\Autoit3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\temp\test\Autoit3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: KgpiJLs58m.exeReversingLabs: Detection: 47%
            Source: KgpiJLs58m.exeVirustotal: Detection: 50%
            Source: KgpiJLs58m.exeString found in binary or memory: -Helper process exited with failure code: 0x%x
            Source: KgpiJLs58m.exeString found in binary or memory: -HelperRegisterTypeLibrary: StatusCode invalidU
            Source: KgpiJLs58m.exeString found in binary or memory: /InstallOnThisVersion: Invalid MinVersion string
            Source: KgpiJLs58m.exeString found in binary or memory: /LoadInf=
            Source: unknownProcess created: C:\Users\user\Desktop\KgpiJLs58m.exe "C:\Users\user\Desktop\KgpiJLs58m.exe"
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeProcess created: C:\temp\test\Autoit3.exe "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
            Source: C:\temp\test\Autoit3.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\ccheffe\beecdga
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domain
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeProcess created: C:\temp\test\Autoit3.exe "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3xJump to behavior
            Source: C:\temp\test\Autoit3.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\ccheffe\beecdgaJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domainJump to behavior
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: version.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: winmm.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: mpr.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: wininet.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: userenv.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: netutils.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: KgpiJLs58m.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: KgpiJLs58m.exeStatic file information: File size 4256256 > 1048576
            Source: KgpiJLs58m.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x258200
            Source: KgpiJLs58m.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1aa400
            Source: KgpiJLs58m.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BDC6D9 LoadLibraryA,GetProcAddress,1_2_00BDC6D9
            Source: KgpiJLs58m.exeStatic PE information: real checksum: 0x29fb81 should be: 0x4144b0
            Source: KgpiJLs58m.exeStatic PE information: section name: .didata
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_06356768 push ss; ret 0_3_06356800
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_06356768 push ss; ret 0_3_06356800
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_063787AD push ecx; ret 0_3_063787C0
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_063567AB push ss; ret 0_3_06356800
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_063567AB push ss; ret 0_3_06356800
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_06354C79 push es; ret 0_3_06354C7B
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_06354C79 push es; ret 0_3_06354C7B
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_06359A32 push 7A3F3F3Eh; ret 0_3_06359C1E
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_06359A32 push 7A3F3F3Eh; ret 0_3_06359C1E
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_06359BDB push 7A3F3F3Eh; ret 0_3_06359C1E
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_06359BDB push 7A3F3F3Eh; ret 0_3_06359C1E
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_0635689F push es; iretd 0_3_063568A3
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_0635689F push es; iretd 0_3_063568A3
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_06356768 push ss; ret 0_3_06356800
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_06356768 push ss; ret 0_3_06356800
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_063567AB push ss; ret 0_3_06356800
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_063567AB push ss; ret 0_3_06356800
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_06354C79 push es; ret 0_3_06354C7B
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_06354C79 push es; ret 0_3_06354C7B
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_06359A32 push 7A3F3F3Eh; ret 0_3_06359C1E
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_06359A32 push 7A3F3F3Eh; ret 0_3_06359C1E
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_06359BDB push 7A3F3F3Eh; ret 0_3_06359C1E
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_06359BDB push 7A3F3F3Eh; ret 0_3_06359C1E
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_0635689F push es; iretd 0_3_063568A3
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_0635689F push es; iretd 0_3_063568A3
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_04538540 push 04538607h; ret 0_2_045385FF
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_045384D0 push 045384FEh; ret 0_2_045384F6
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_045384D4 push 045384FEh; ret 0_2_045384F6
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_0453474C push 0453479Dh; ret 0_2_04534795
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_04538090 push 0453820Ch; ret 0_2_04538204
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_04538210 push 0453827Fh; ret 0_2_04538277
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeFile created: C:\temp\test\Autoit3.exeJump to dropped file
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BE59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,1_2_00BE59B3
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B75EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,1_2_00B75EDA
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B833B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00B833B7
            Source: C:\temp\test\Autoit3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Contains functionality to detect sleep reduction / modifications
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0480C8281_2_0480C828
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: Autoit3.exe, Autoit3.exe, 00000001.00000002.1835049410.00000000045FC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1835519378.00000000047B1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1835400619.00000000046B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SUPERANTISPYWARE.EXE
            Source: C:\temp\test\Autoit3.exeAPI coverage: 5.1 %
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0480C8281_2_0480C828
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Domain FROM Win32_ComputerSystem
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_0453411C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_0453411C
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BC4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_00BC4005
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BCC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_00BCC2FF
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BC494A GetFileAttributesW,FindFirstFileW,FindClose,1_2_00BC494A
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BCCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_00BCCD9F
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BCCD14 FindFirstFileW,FindClose,1_2_00BCCD14
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BCF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00BCF5D8
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BCF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00BCF735
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BCFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_00BCFA36
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BC3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_00BC3CE2
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0188C705 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,1_2_0188C705
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0480A584 FindFirstFileW,lstrcmpW,lstrcmpW,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FindNextFileW,FindClose,1_2_0480A584
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_047B89F4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,1_2_047B89F4
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_047B8AFC FindFirstFileA,GetLastError,1_2_047B8AFC
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_048031F8 FindFirstFileW,FindNextFileW,FindClose,1_2_048031F8
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_047E3D68 FindFirstFileW,FindNextFileW,FindClose,1_2_047E3D68
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_047CBD8C FindFirstFileA,FindNextFileA,FindClose,1_2_047CBD8C
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_047B5974 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,1_2_047B5974
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0480BA70 FindFirstFileW,FindNextFileW,FindClose,1_2_0480BA70
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B75D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,1_2_00B75D13
            Source: Autoit3.exe, 00000001.00000002.1835400619.00000000046B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware
            Source: Autoit3.exe, Autoit3.exe, 00000001.00000002.1835049410.00000000045FC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1835519378.00000000047B1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1835400619.00000000046B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: microsoft hyper-v video
            Source: Autoit3.exe, 00000001.00000002.1833090302.00000000018A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\temp\test\Autoit3.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BD45D5 BlockInput,1_2_00BD45D5
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B75240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,1_2_00B75240
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B95CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_00B95CAC
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BDC6D9 LoadLibraryA,GetProcAddress,1_2_00BDC6D9
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_01899306 mov eax, dword ptr fs:[00000030h]1_2_01899306
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_047DA79C mov eax, dword ptr fs:[00000030h]1_2_047DA79C
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_047DA79C mov eax, dword ptr fs:[00000030h]1_2_047DA79C
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_047D80A4 mov eax, dword ptr fs:[00000030h]1_2_047D80A4
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BB88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,1_2_00BB88CD
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B8A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00B8A385
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B8A354 SetUnhandledExceptionFilter,1_2_00B8A354

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Contains functionality to inject code into remote processes
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_047DDCB8 CreateProcessA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,1_2_047DDCB8
            Contains functionality to inject threads in other processes
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_047DDCB8 CreateProcessA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,1_2_047DDCB8
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BB9369 LogonUserW,1_2_00BB9369
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B75240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,1_2_00B75240
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BC1AC6 SendInput,keybd_event,1_2_00BC1AC6
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BC51E2 mouse_event,1_2_00BC51E2
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeProcess created: C:\temp\test\Autoit3.exe "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3xJump to behavior
            Source: C:\temp\test\Autoit3.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\ccheffe\beecdgaJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domainJump to behavior
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BB88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,1_2_00BB88CD
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BC4F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,1_2_00BC4F1C
            Source: KgpiJLs58m.exe, 00000000.00000003.1780332430.00000000064E5000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1791456220.00000000045EE000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1780521494.0000000006406000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: KgpiJLs58m.exe, Autoit3.exeBinary or memory string: Shell_TrayWnd
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_3_06378493 cpuid 0_3_06378493
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_045342F4
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: GetLocaleInfoA,0_2_045365F4
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: GetLocaleInfoA,0_2_045365A8
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: GetLocaleInfoA,0_2_045346D8
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_045343FF
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: GetLocaleInfoA,GetACP,0_2_0453774C
            Source: C:\temp\test\Autoit3.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,1_2_0188C8DD
            Source: C:\temp\test\Autoit3.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,1_2_0188C9E7
            Source: C:\temp\test\Autoit3.exeCode function: GetLocaleInfoA,1_2_0188EBC1
            Source: C:\temp\test\Autoit3.exeCode function: GetLocaleInfoA,1_2_0188EB75
            Source: C:\temp\test\Autoit3.exeCode function: GetLocaleInfoA,GetACP,1_2_0188FD19
            Source: C:\temp\test\Autoit3.exeCode function: GetLocaleInfoA,1_2_0188CCED
            Source: C:\temp\test\Autoit3.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,1_2_047B5B4C
            Source: C:\temp\test\Autoit3.exeCode function: GetLocaleInfoA,1_2_047B6470
            Source: C:\temp\test\Autoit3.exeCode function: GetLocaleInfoA,GetACP,1_2_047BCC88
            Source: C:\temp\test\Autoit3.exeCode function: GetLocaleInfoA,1_2_047BB66C
            Source: C:\temp\test\Autoit3.exeCode function: GetLocaleInfoA,1_2_047BB620
            Source: C:\temp\test\Autoit3.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,1_2_047B5C56
            Source: C:\temp\test\Autoit3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\temp\test\Autoit3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\temp\test\Autoit3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
            Source: C:\temp\test\Autoit3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BA0030 GetLocalTime,__swprintf,1_2_00BA0030
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BA0722 GetUserNameW,1_2_00BA0722
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00B9416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,1_2_00B9416A
            Source: C:\Users\user\Desktop\KgpiJLs58m.exeCode function: 0_2_045347A1 GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,0_2_045347A1
            Source: Autoit3.exe, Autoit3.exe, 00000001.00000002.1835049410.00000000045FC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1835519378.00000000047B1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1835400619.00000000046B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: mcshield.exe
            Source: Autoit3.exe, Autoit3.exe, 00000001.00000002.1835049410.00000000045FC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1835519378.00000000047B1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1835400619.00000000046B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: superantispyware.exe

            Stealing of Sensitive Information

            barindex
            Yara detected DarkGate
            Source: Yara matchFile source: 00000001.00000002.1835519378.0000000004818000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1835049410.00000000045FC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1835400619.00000000046B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Autoit3.exe PID: 7348, type: MEMORYSTR
            Yara detected MailPassView
            Source: Yara matchFile source: 00000001.00000002.1835519378.00000000047B1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1835049410.00000000045FC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1835400619.00000000046B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Autoit3.exe PID: 7348, type: MEMORYSTR
            Source: Autoit3.exeBinary or memory string: WIN_81
            Source: Autoit3.exeBinary or memory string: WIN_XP
            Source: Autoit3.exeBinary or memory string: WIN_XPe
            Source: Autoit3.exeBinary or memory string: WIN_VISTA
            Source: Autoit3.exeBinary or memory string: WIN_7
            Source: Autoit3.exeBinary or memory string: WIN_8
            Source: Autoit3.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

            Remote Access Functionality

            barindex
            Yara detected DarkGate
            Source: Yara matchFile source: 00000001.00000002.1835519378.0000000004818000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1835049410.00000000045FC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1835400619.00000000046B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Autoit3.exe PID: 7348, type: MEMORYSTR
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BD696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,1_2_00BD696E
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00BD6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,1_2_00BD6E32
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_047CCCB4 bind,1_2_047CCCB4

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		21
            Input Capture            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            Native API            		1
            Create Account            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory1
            Account Discovery            		Remote Desktop Protocol1
            Screen Capture            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts2
            Command and Scripting Interpreter            		2
            Valid Accounts            		2
            Valid Accounts            		2
            Obfuscated Files or Information            		Security Account Manager1
            File and Directory Discovery            		SMB/Windows Admin Shares21
            Input Capture            		1
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
            Access Token Manipulation            		1
            DLL Side-Loading            		NTDS55
            System Information Discovery            		Distributed Component Object Model3
            Clipboard Data            		Protocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
            Process Injection            		1
            Masquerading            		LSA Secrets261
            Security Software Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Valid Accounts            		Cached Domain Credentials1
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem1
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1599696 Sample: KgpiJLs58m.exe Startdate: 26/01/2025 Architecture: WINDOWS Score: 92 23 155.138.149.77 AS-CHOOPAUS United States 2->23 25 Found malware configuration 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 Yara detected DarkGate 2->29 31 3 other signatures 2->31 9 KgpiJLs58m.exe 4 2->9         started        signatures3 process4 file5 21 C:\temp\test\Autoit3.exe, PE32 9->21 dropped 12 Autoit3.exe 3 9->12         started        process6 signatures7 33 Contains functionality to inject threads in other processes 12->33 35 Contains functionality to inject code into remote processes 12->35 37 Contains functionality to detect sleep reduction / modifications 12->37 15 cmd.exe 2 12->15         started        process8 process9 17 WMIC.exe 1 15->17         started        19 conhost.exe 15->19         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            KgpiJLs58m.exe47%ReversingLabsWin32.Trojan.Darkgate
            KgpiJLs58m.exe50%VirustotalBrowse

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\temp\test\Autoit3.exe3%ReversingLabs
            C:\temp\test\Autoit3.exe4%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.innosetup.com/KgpiJLs58m.exefalse
              		high
              http://www.autoitscript.com/autoit3/JKgpiJLs58m.exe, 00000000.00000003.1780521494.0000000006414000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1786900603.00000000027DC000.00000040.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1780332430.00000000064F3000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1791456220.00000000045FC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000000.1781728446.0000000000C29000.00000002.00000001.01000000.00000004.sdmp, Autoit3.exe.0.drfalse
                		high
                http://ipinfo.io/ipAutoit3.exe, Autoit3.exe, 00000001.00000002.1835049410.00000000045FC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1835519378.00000000047B1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1835400619.00000000046B0000.00000004.00001000.00020000.00000000.sdmpfalse
                  		high
                  http://www.autoitscript.com/autoit3/KgpiJLs58m.exefalse
                    		high
                    http://www.remobjects.com/psKgpiJLs58m.exefalse
                      		high
                      https://mail.google.com/mail/u/0/#inboxAutoit3.exe, 00000001.00000002.1835400619.00000000046B0000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        https://www.autoitscript.com/autoit3/KgpiJLs58m.exe, 00000000.00000003.1780521494.0000000006414000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1786900603.00000000027DC000.00000040.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000003.1780332430.00000000064F3000.00000004.00001000.00020000.00000000.sdmp, KgpiJLs58m.exe, 00000000.00000002.1791456220.00000000045FC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drfalse
                          		high
                          http://ipinfo.io/ipUAutoit3.exe, 00000001.00000002.1835049410.00000000045FC000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1835519378.00000000047B1000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1835400619.00000000046B0000.00000004.00001000.00020000.00000000.sdmpfalse
                            		high

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            155.138.149.77
                            		unknownUnited States
                            		20473AS-CHOOPAUStrue

                            General Information

                            Joe Sandbox version:42.0.0 Malachite
                            Analysis ID:1599696
                            Start date and time:2025-01-26 10:24:48 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 5m 56s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Run name:Run with higher sleep bypass
                            Number of analysed new started processes analysed:5
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:KgpiJLs58m.exe
                            renamed because original name is a hash value
                            Original Sample Name:6b6676267c70fbeb3257f0bb9bce1587f0bdec621238eb32dd9f84b2bcd7e3ea.exe
                            Detection:MAL
                            Classification:mal92.troj.spyw.evad.winEXE@8/4@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 115
                            • Number of non-executed functions: 246
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                            • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                            • Stop behavior analysis, all processes terminated

                            Warnings

                            • Excluded IPs from analysis (whitelisted): 20.12.23.50
                            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report creation exceeded maximum time and may have missing disassembly code information.
                            • Report size exceeded maximum capacity and may have missing disassembly code.

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            AS-CHOOPAUSshQKoXwsLl.exeGet hashmaliciousTinbaBrowse
                            • 45.77.249.79
                            Claim- Jan 2025.xlsGet hashmaliciousUnknownBrowse
                            • 155.138.230.64
                            Claim- Jan 2025.xlsGet hashmaliciousUnknownBrowse
                            • 155.138.230.64
                            Claim- Jan 2025.xlsGet hashmaliciousUnknownBrowse
                            • 155.138.230.64
                            QDucAhFhA9.elfGet hashmaliciousUnknownBrowse
                            • 95.179.223.245
                            http://home45insurance.blogspot.comGet hashmaliciousUnknownBrowse
                            • 45.63.66.114
                            XClient.exeGet hashmaliciousXWormBrowse
                            • 45.32.153.7
                            https://metameaskloginr.webflow.io/Get hashmaliciousUnknownBrowse
                            • 155.138.141.200
                            l.jsGet hashmaliciousUnknownBrowse
                            • 149.248.58.85
                            l.jsGet hashmaliciousUnknownBrowse
                            • 149.248.58.85

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            C:\temp\test\Autoit3.exeNotion Setup 4.3.0 (4).exeGet hashmaliciousDarkGate, MailPassViewBrowse
                              Notion Setup 4.3.0 (4).exeGet hashmaliciousDarkGate, MailPassViewBrowse
                                JiH0aUfOU6.exeGet hashmaliciousUnknownBrowse
                                  JiH0aUfOU6.exeGet hashmaliciousUnknownBrowse
                                    2YLM6BQ9S3.exeGet hashmaliciousRedLineBrowse
                                      sEOELQpFOB.lnkGet hashmaliciousRedLineBrowse
                                        ref095vq842r70_classement_atout_france.pdf.lnk.d.lnkGet hashmaliciousRedLine, SectopRATBrowse
                                          payload_1.htaGet hashmaliciousRedLineBrowse
                                            fsg5PWtTm2.lnkGet hashmaliciousRedLine, SectopRATBrowse

                                              Created / dropped Files

                                              C:\ProgramData\ccheffe\beecdga

                                              Download File
                                              Process:C:\Windows\SysWOW64\cmd.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):42
                                              Entropy (8bit):2.914979271060093
                                              Encrypted:false
                                              SSDEEP:3:Qh9eolFl+qlfYn:Q7eY+Fn
                                              MD5:F286D5CE2427154BAB8C54CC40BEE43B
                                              SHA1:0072FB56A72A55F111FD6B4E49E505238BCE19CA
                                              SHA-256:CA0515549BD66E50D294FAA44563D3585C5170DF3DE7DFCE26286FFD1A3C55B7
                                              SHA-512:03EF82377D66CEC2719EC8A4A95E11D9D6D9164F492C11030E69A9ED8B59135B36F28E356B49CD43A83E1BD904562E4CE5E659C21E1D239F39FCB5A14928DBEA
                                              Malicious:false
                                              Reputation:low
                                              Preview:..D.o.m.a.i.n. . .....m.P.r.u.O. . . .....

                                              C:\Users\user\AppData\Roaming\EDAdhKa

                                              Download File
                                              Process:C:\temp\test\Autoit3.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):32
                                              Entropy (8bit):3.6084585933443494
                                              Encrypted:false
                                              SSDEEP:3:1jQh0NznPguwuJ:1jlTgIJ
                                              MD5:8D8586D4A5C5193D3BF667AC5CE7F36C
                                              SHA1:4018DF909B8D36B0FF1E63C511FF39B7DBA5468B
                                              SHA-256:64CE5B4CE518A3400DB53DEE4B9F1393AF45645B7C3B2FEB6D497849285AA0E3
                                              SHA-512:7D47FFEA4F7863F8D2B423A5673EF55C45FAC38A2BF5F9CA20F00FFF723BD31CF0F61A34C75A0E0533ECD310E20CA72EE22F279EA07F1460C29ECF24B8030002
                                              Malicious:false
                                              Reputation:low
                                              Preview:eKdFdCDHchHEeBAceBFGhDCKddcFCGDG

                                              C:\temp\test\Autoit3.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\KgpiJLs58m.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):893608
                                              Entropy (8bit):6.620131693023677
                                              Encrypted:false
                                              SSDEEP:12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
                                              MD5:C56B5F0201A3B3DE53E561FE76912BFD
                                              SHA1:2A4062E10A5DE813F5688221DBEB3F3FF33EB417
                                              SHA-256:237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
                                              SHA-512:195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 3%
                                              • Antivirus: Virustotal, Detection: 4%, Browse
                                              Joe Sandbox View:
                                              • Filename: Notion Setup 4.3.0 (4).exe, Detection: malicious, Browse
                                              • Filename: Notion Setup 4.3.0 (4).exe, Detection: malicious, Browse
                                              • Filename: JiH0aUfOU6.exe, Detection: malicious, Browse
                                              • Filename: JiH0aUfOU6.exe, Detection: malicious, Browse
                                              • Filename: 2YLM6BQ9S3.exe, Detection: malicious, Browse
                                              • Filename: sEOELQpFOB.lnk, Detection: malicious, Browse
                                              • Filename: ref095vq842r70_classement_atout_france.pdf.lnk.d.lnk, Detection: malicious, Browse
                                              • Filename: payload_1.hta, Detection: malicious, Browse
                                              • Filename: fsg5PWtTm2.lnk, Detection: malicious, Browse
                                              Reputation:moderate, very likely benign file
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                              C:\temp\test\script.a3x

                                              Download File
                                              Process:C:\Users\user\Desktop\KgpiJLs58m.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):598250
                                              Entropy (8bit):6.847347226287514
                                              Encrypted:false
                                              SSDEEP:12288:hQxqgrQxqgjneQJAvPstG0WtFNXenxmM5yN059S2Ai6IwbLqNKG7tY:ercrjtGXY6enxHyG5uizOo7m
                                              MD5:B94C5E38BBF4B6EF11E0442CE58C3131
                                              SHA1:00B5A444BC5E52F7DD9753383317EB2497EC4B38
                                              SHA-256:037E15B09413722B48802E6268848D0698B9ED468CD447B40E31EFA5CDB3C313
                                              SHA-512:546C148FAFD8298F79BF0B02C707AB88F5E15B099903ED725D11DF6345F2A73121BB385E5E094A8EF2A165284A760C104CD03B25804CC55B11A6F22B64A90914
                                              Malicious:false
                                              Reputation:low
                                              Preview:P)y............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................P)y......................................

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Entropy (8bit):7.096895677278031
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 98.88%
                                              • Inno Setup installer (109748/4) 1.08%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:KgpiJLs58m.exe
                                              File size:4'256'256 bytes
                                              MD5:998cd2e474751b5de344562b4ddb39e2
                                              SHA1:70ee02a76510b0757e3b26ffd98834f0d259f9d4
                                              SHA256:6b6676267c70fbeb3257f0bb9bce1587f0bdec621238eb32dd9f84b2bcd7e3ea
                                              SHA512:e69e703c79e9c151245cef8caaa18b30fc2992c72e98b2e197239eb439837ee3c5d446e99f117f4aec0dc56527fd943949e62bbaadd43e123d83d53ad09f43e7
                                              SSDEEP:49152:gR/KpmZubPf2S8W2ILeWl+C1pNjWy5Snd0eigXNG/2KyT0aXgkKdOcUP6CVjyusJ:G/jtYLP16y5E04Za1UP6mod
                                              TLSH:54167D1BB744783FD4AA06338823C6705937BE21B9A2CC5B67F43E0C6F359906B39656
                                              File Content Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                              File Icon

                                              Icon Hash:162854445c542180

                                              Static PE Info

                                              General

                                              Entrypoint:0x65c4a4
                                              Entrypoint Section:.itext
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x5EC61809 [Thu May 21 05:56:25 2020 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:6
                                              OS Version Minor:0
                                              File Version Major:6
                                              File Version Minor:0
                                              Subsystem Version Major:6
                                              Subsystem Version Minor:0
                                              Import Hash:16c8c7a62c852018ed02e453e144c998

                                              Entrypoint Preview

                                              Instruction
                                              push ebp
                                              mov ebp, esp
                                              add esp, FFFFFFF0h
                                              push ebx
                                              push esi
                                              push edi
                                              mov eax, 00651408h
                                              call 00007FC7A0D1F972h
                                              mov eax, dword ptr [00662788h]
                                              mov eax, dword ptr [eax]
                                              mov eax, dword ptr [eax+00000188h]
                                              push FFFFFFECh
                                              push eax
                                              call 00007FC7A0D239D1h
                                              mov edx, dword ptr [00662788h]
                                              mov edx, dword ptr [edx]
                                              mov edx, dword ptr [edx+00000188h]
                                              and eax, FFFFFF7Fh
                                              push eax
                                              push FFFFFFECh
                                              push edx
                                              call 00007FC7A0D239BDh
                                              xor eax, eax
                                              push ebp
                                              push 0065C528h
                                              push dword ptr fs:[eax]
                                              mov dword ptr fs:[eax], esp
                                              push 00000001h
                                              call 00007FC7A0D22D28h
                                              call 00007FC7A0F61E03h
                                              mov eax, dword ptr [00651030h]
                                              push eax
                                              push 006510C8h
                                              mov eax, dword ptr [00662788h]
                                              mov eax, dword ptr [eax]
                                              call 00007FC7A0EB3BA8h
                                              call 00007FC7A0F61E57h
                                              xor eax, eax
                                              pop edx
                                              pop ecx
                                              pop ecx
                                              mov dword ptr fs:[eax], edx
                                              jmp 00007FC7A0F6D1ABh
                                              jmp 00007FC7A0D186E8h
                                              call 00007FC7A0F61B9Fh
                                              mov eax, 00000001h
                                              call 00007FC7A0D191D1h
                                              call 00007FC7A0D18B2Ch
                                              mov eax, dword ptr [00662788h]
                                              mov eax, dword ptr [eax]
                                              mov edx, 0065C6BCh
                                              call 00007FC7A0EB367Fh
                                              push 00000005h
                                              mov eax, dword ptr [00662788h]
                                              mov eax, dword ptr [eax]
                                              mov eax, dword ptr [eax+00000188h]
                                              push eax
                                              call 00007FC7A0D236E6h
                                              mov eax, dword ptr [00662788h]

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x2700000x97.edata
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x26b0000x35d8.idata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x2730000x1aa248.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x2720000x18.rdata
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x26b94c0x848.idata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x26f0000x9ee.didata
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x2581fc0x2582009ce38ee07dc8de6515f5e582039c012funknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .itext0x25a0000x26c80x2800367bc90dd8be7c6a1056ad2a82281084False0.503125data6.119631643767066IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .data0x25d0000x5a640x5c00c20c3606951695cd5626a53022531398False0.40281080163043476data5.055173307610014IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .bss0x2630000x780c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .idata0x26b0000x35d80x36006cbfeeac8d17ca3b356e9c16e6f19fc1False0.33622685185185186data5.280395234482991IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .didata0x26f0000x9ee0xa002726dff14c86e88d2aaa4303cf2dc681False0.36328125data4.360393246158077IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .edata0x2700000x970x2008c377a4128fcc7899b263e28899a337bFalse0.251953125data1.7456444612923019IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .tls0x2710000x440x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rdata0x2720000x5d0x200be59fdae8b4a80179fdb6b9e7588da9eFalse0.189453125data1.4090774709019303IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .rsrc0x2730000x1aa2480x1aa4004f0490ef60b5eb8b64d8a251779511c0False0.7045408724340176data7.642057868934714IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              EKYXKPA62BJZH3QNRUC0x273dd80x177c08data0.7448005676269531
                                              RT_CURSOR0x3eb9e00x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                              RT_CURSOR0x3ebb140x134dataEnglishUnited States0.4642857142857143
                                              RT_CURSOR0x3ebc480x134dataEnglishUnited States0.4805194805194805
                                              RT_CURSOR0x3ebd7c0x134dataEnglishUnited States0.38311688311688313
                                              RT_CURSOR0x3ebeb00x134dataEnglishUnited States0.36038961038961037
                                              RT_CURSOR0x3ebfe40x134dataEnglishUnited States0.4090909090909091
                                              RT_CURSOR0x3ec1180x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                              RT_BITMAP0x3ec24c0xd28Device independent bitmap graphic, 48 x 48 x 8, image size 0, resolution 3780 x 3780 px/m, 256 important colors0.16508313539192399
                                              RT_BITMAP0x3ecf740x32aDevice independent bitmap graphic, 16 x 16 x 24, image size 770, resolution 3779 x 3779 px/m0.2074074074074074
                                              RT_ICON0x3ed2a00x2a47PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9626720872216575
                                              RT_ICON0x3efce80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/mEnglishUnited States0.07821187743996215
                                              RT_ICON0x4005100x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 2835 x 2835 px/mEnglishUnited States0.10350536052133698
                                              RT_ICON0x4099b80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/mEnglishUnited States0.15653046764289089
                                              RT_ICON0x40dbe00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/mEnglishUnited States0.21597510373443984
                                              RT_ICON0x4101880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/mEnglishUnited States0.3219981238273921
                                              RT_ICON0x4112300x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 2835 x 2835 px/mEnglishUnited States0.42745901639344264
                                              RT_ICON0x411bb80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/mEnglishUnited States0.5966312056737588
                                              RT_STRING0x4120200x6cdata0.6018518518518519
                                              RT_STRING0x41208c0x250data0.46790540540540543
                                              RT_STRING0x4122dc0x204data0.46705426356589147
                                              RT_STRING0x4124e00x3ecdata0.3894422310756972
                                              RT_STRING0x4128cc0x410data0.41634615384615387
                                              RT_STRING0x412cdc0x160data0.59375
                                              RT_STRING0x412e3c0xd0data0.6778846153846154
                                              RT_STRING0x412f0c0x2f4data0.43253968253968256
                                              RT_STRING0x4132000x3fcdata0.37941176470588234
                                              RT_STRING0x4135fc0x49cdata0.35338983050847456
                                              RT_STRING0x413a980x29cdata0.31736526946107785
                                              RT_STRING0x413d340x3f0data0.43154761904761907
                                              RT_STRING0x4141240x438data0.3731481481481482
                                              RT_STRING0x41455c0x3acdata0.3861702127659574
                                              RT_STRING0x4149080x404data0.3764591439688716
                                              RT_STRING0x414d0c0x2acdata0.38742690058479534
                                              RT_STRING0x414fb80xb8data0.657608695652174
                                              RT_STRING0x4150700xd0data0.6201923076923077
                                              RT_STRING0x4151400x354data0.4284037558685446
                                              RT_STRING0x4154940x3acdata0.3425531914893617
                                              RT_STRING0x4158400x354data0.3826291079812207
                                              RT_STRING0x415b940x2c0data0.41051136363636365
                                              RT_RCDATA0x415e540x10data1.5
                                              RT_RCDATA0x415e640x1800PE32+ executable (console) x86-64, for MS WindowsEnglishUnited States0.3924153645833333
                                              RT_RCDATA0x4176640xac4data0.5446298984034833
                                              RT_RCDATA0x4181280x147Delphi compiled form 'TMainForm'0.746177370030581
                                              RT_RCDATA0x4182700x480Delphi compiled form 'TNewDiskForm'0.5034722222222222
                                              RT_RCDATA0x4186f00x400Delphi compiled form 'TSelectFolderForm'0.5087890625
                                              RT_RCDATA0x418af00x4b5Delphi compiled form 'TSelectLanguageForm'0.5004149377593361
                                              RT_RCDATA0x418fa80x7ffDelphi compiled form 'TUninstallProgressForm'0.4054714215925745
                                              RT_RCDATA0x4197a80x55cDelphi compiled form 'TUninstSharedFileForm'0.41690962099125367
                                              RT_RCDATA0x419d040x2ac9Delphi compiled form 'TWizardForm'0.19811923673879303
                                              RT_GROUP_CURSOR0x41c7d00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                              RT_GROUP_CURSOR0x41c7e40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                              RT_GROUP_CURSOR0x41c7f80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                              RT_GROUP_CURSOR0x41c80c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                              RT_GROUP_CURSOR0x41c8200x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                              RT_GROUP_CURSOR0x41c8340x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                              RT_GROUP_CURSOR0x41c8480x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                              RT_GROUP_ICON0x41c85c0x76dataEnglishUnited States0.7457627118644068
                                              RT_VERSION0x41c8d40x24cdataEnglishUnited States0.47959183673469385
                                              RT_MANIFEST0x41cb200x726XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4005464480874317

                                              Imports

                                              DLLImport
                                              mpr.dllWNetEnumResourceW, WNetGetUniversalNameW, WNetGetConnectionW, WNetCloseEnum, WNetOpenEnumW
                                              comdlg32.dllGetSaveFileNameW, GetOpenFileNameW
                                              comctl32.dllFlatSB_SetScrollInfo, InitCommonControls, ImageList_DragMove, ImageList_Destroy, _TrackMouseEvent, ImageList_DragShowNolock, ImageList_Add, FlatSB_SetScrollProp, ImageList_GetDragImage, ImageList_Create, ImageList_EndDrag, ImageList_DrawEx, ImageList_SetImageCount, FlatSB_GetScrollPos, FlatSB_SetScrollPos, InitializeFlatSB, FlatSB_GetScrollInfo, ImageList_Write, ImageList_SetBkColor, ImageList_GetBkColor, ImageList_BeginDrag, ImageList_GetIcon, ImageList_GetImageCount, ImageList_DragEnter, ImageList_GetIconSize, ImageList_SetIconSize, ImageList_Read, ImageList_DragLeave, ImageList_Draw, ImageList_Remove
                                              shell32.dllSHBrowseForFolderW, ExtractIconW, SHGetMalloc, SHGetFileInfoW, SHChangeNotify, Shell_NotifyIconW, ShellExecuteW, SHGetPathFromIDListW, ShellExecuteExW
                                              user32.dllCopyImage, CreateWindowExW, GetMenuItemInfoW, SetMenuItemInfoW, DefFrameProcW, GetDCEx, GetMessageW, PeekMessageW, MonitorFromWindow, GetDlgCtrlID, ScrollWindowEx, SetTimer, WindowFromPoint, BeginPaint, RegisterClipboardFormatW, FrameRect, MapVirtualKeyW, OffsetRect, IsWindowUnicode, RegisterWindowMessageW, FillRect, GetMenuStringW, DispatchMessageW, SendMessageA, DefMDIChildProcW, EnumWindows, GetClassInfoW, GetSystemMenu, WaitForInputIdle, ShowOwnedPopups, GetScrollRange, GetScrollPos, SetScrollPos, GetActiveWindow, SetActiveWindow, DrawEdge, InflateRect, GetKeyboardLayoutList, OemToCharBuffA, LoadBitmapW, DrawFocusRect, EnumChildWindows, GetScrollBarInfo, SendNotifyMessageW, ReleaseCapture, UnhookWindowsHookEx, LoadCursorW, GetCapture, SetCapture, CreatePopupMenu, ScrollWindow, ShowCaret, GetMenuItemID, GetLastActivePopup, CharLowerBuffW, GetSystemMetrics, SetWindowLongW, PostMessageW, DrawMenuBar, SetParent, IsZoomed, CharUpperBuffW, GetClientRect, IsChild, ClientToScreen, SetWindowPlacement, IsIconic, CallNextHookEx, GetMonitorInfoW, ShowWindow, CheckMenuItem, CharUpperW, DefWindowProcW, GetForegroundWindow, SetForegroundWindow, GetWindowTextW, EnableWindow, DestroyWindow, IsDialogMessageW, EndMenu, RegisterClassW, CharNextW, GetWindowThreadProcessId, RedrawWindow, GetDC, GetFocus, SetFocus, EndPaint, ExitWindowsEx, ReleaseDC, MsgWaitForMultipleObjectsEx, LoadKeyboardLayoutW, GetClassLongW, ActivateKeyboardLayout, GetParent, CharToOemBuffA, DrawTextW, SetScrollRange, InsertMenuItemW, PeekMessageA, GetPropW, SetClassLongW, MessageBoxW, MessageBeep, SetPropW, SetRectEmpty, UpdateWindow, RemovePropW, GetSubMenu, MsgWaitForMultipleObjects, DestroyMenu, DestroyIcon, SetWindowsHookExW, IsWindowVisible, DispatchMessageA, UnregisterClassW, GetTopWindow, SendMessageW, AdjustWindowRectEx, DrawIcon, IsWindow, EnumThreadWindows, InvalidateRect, GetKeyboardState, DrawFrameControl, ScreenToClient, SendMessageTimeoutW, BringWindowToTop, SetCursor, CreateIcon, CreateMenu, LoadStringW, CharLowerW, SetWindowPos, SetWindowRgn, GetMenuItemCount, RemoveMenu, AppendMenuW, GetSysColorBrush, GetKeyboardLayoutNameW, GetWindowDC, TranslateMessage, DrawTextExW, MapWindowPoints, EnumDisplayMonitors, CallWindowProcW, DestroyCursor, ReplyMessage, GetScrollInfo, SetWindowTextW, GetMessageExtraInfo, EnableScrollBar, GetSysColor, TrackPopupMenu, DrawIconEx, PostQuitMessage, GetClassNameW, ShowScrollBar, EnableMenuItem, GetIconInfo, GetMessagePos, SetScrollInfo, GetKeyNameTextW, GetDesktopWindow, GetCursorPos, SetCursorPos, HideCaret, GetMenu, GetMenuState, SetMenu, SetRect, GetKeyState, FindWindowExW, MonitorFromPoint, SystemParametersInfoW, LoadIconW, GetCursor, GetWindow, GetWindowLongW, GetWindowRect, InsertMenuW, KillTimer, WaitMessage, IsWindowEnabled, IsDialogMessageA, TranslateMDISysAccel, GetWindowPlacement, FindWindowW, DeleteMenu, GetKeyboardLayout
                                              version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                                              oleaut32.dllSafeArrayPutElement, LoadTypeLib, GetErrorInfo, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, SafeArrayCreate, SafeArrayGetElement, GetActiveObject, SysAllocStringLen, SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, VariantCopy, RegisterTypeLib, VariantChangeType, VariantCopyInd
                                              advapi32.dllRegSetValueExW, RegEnumKeyExW, AdjustTokenPrivileges, OpenThreadToken, GetUserNameW, RegDeleteKeyW, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegQueryInfoKeyW, AllocateAndInitializeSid, FreeSid, EqualSid, RegDeleteValueW, RegFlushKey, RegQueryValueExW, RegEnumValueW, GetTokenInformation, InitializeSecurityDescriptor, RegCloseKey, RegCreateKeyExW, SetSecurityDescriptorDacl
                                              netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                                              kernel32.dllSetFileAttributesW, SetFileTime, GetACP, GetExitCodeProcess, IsBadWritePtr, CloseHandle, LocalFree, GetCurrentProcessId, SizeofResource, VirtualProtect, QueryPerformanceFrequency, FindNextFileW, GetFullPathNameW, VirtualFree, ExitProcess, HeapAlloc, WriteProfileStringW, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, FileTimeToLocalFileTime, GetModuleHandleW, FreeLibrary, HeapDestroy, CompareFileTime, ReadFile, CreateProcessW, TransactNamedPipe, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, OpenMutexW, CreateThread, CompareStringW, CopyFileW, CreateMutexW, LoadLibraryA, ResetEvent, MulDiv, FreeResource, GetDriveTypeW, GetVersion, RaiseException, MoveFileW, GlobalAddAtomW, GetSystemTimeAsFileTime, FormatMessageW, OpenProcess, SwitchToThread, GetExitCodeThread, GetCurrentThread, GetLogicalDrives, LocalFileTimeToFileTime, SetNamedPipeHandleState, LoadLibraryExW, TerminateProcess, LockResource, FileTimeToSystemTime, GetShortPathNameW, GetCurrentThreadId, UnhandledExceptionFilter, MoveFileExW, VirtualQuery, GlobalFindAtomW, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, ReleaseMutex, FlushFileBuffers, LoadResource, SuspendThread, GetTickCount, WritePrivateProfileStringW, GetFileSize, GetStartupInfoW, GlobalDeleteAtom, GetFileAttributesW, GetCurrentDirectoryW, SetCurrentDirectoryW, InitializeCriticalSection, GetThreadPriority, GetCurrentProcess, SetThreadPriority, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, DeviceIoControl, GetDiskFreeSpaceW, VerSetConditionMask, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, lstrcmpW, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetEnvironmentVariableW, GetLocalTime, WaitForSingleObject, WriteFile, CreateNamedPipeW, ExitThread, DeleteCriticalSection, GetDateFormatW, TlsGetValue, SetErrorMode, GetComputerNameW, IsValidLocale, TlsSetValue, CreateDirectoryW, GetOverlappedResult, GetSystemDefaultUILanguage, EnumCalendarInfoW, GetProfileStringW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, IsDBCSLeadByte, CreateEventW, GetPrivateProfileStringW, WaitForMultipleObjectsEx, GetThreadLocale, SetThreadLocale
                                              ole32.dllStgCreateDocfileOnILockBytes, CoCreateInstance, CLSIDFromString, CoUninitialize, IsEqualGUID, OleInitialize, CoFreeUnusedLibraries, CreateILockBytesOnHGlobal, CLSIDFromProgID, OleUninitialize, CoDisconnectObject, CoInitialize, CoTaskMemFree, CoTaskMemAlloc, StringFromCLSID
                                              gdi32.dllArc, Pie, SetBkMode, SelectPalette, CreateCompatibleBitmap, ExcludeClipRect, RectVisible, SetWindowOrgEx, MaskBlt, AngleArc, Chord, SetTextColor, StretchBlt, SetDIBits, SetViewportOrgEx, CreateRectRgn, RealizePalette, SetDIBColorTable, GetDIBColorTable, RoundRect, RestoreDC, SetRectRgn, GetTextMetricsW, RemoveFontResourceW, GetWindowOrgEx, CreatePalette, CreateBrushIndirect, PatBlt, LineDDA, PolyBezierTo, GetStockObject, CreateSolidBrush, Polygon, Rectangle, MoveToEx, DeleteDC, SaveDC, BitBlt, Ellipse, FrameRgn, GetDeviceCaps, GetBitmapBits, GetTextExtentPoint32W, GetClipBox, Polyline, IntersectClipRect, GetSystemPaletteEntries, CreateBitmap, AddFontResourceW, CreateDIBitmap, GetStretchBltMode, CreateDIBSection, CreatePenIndirect, SetStretchBltMode, GetDIBits, CreateFontIndirectW, PolyBezier, LineTo, GetRgnBox, EnumFontsW, CreateHalftonePalette, DeleteObject, SelectObject, ExtFloodFill, UnrealizeObject, SetBkColor, CreateCompatibleDC, GetObjectW, GetBrushOrgEx, GetCurrentPositionEx, SetROP2, GetTextExtentPointW, ExtTextOutW, SetBrushOrgEx, GetPixel, ArcTo, GdiFlush, SetPixel, EnumFontFamiliesExW, GetPaletteEntries

                                              Exports

                                              NameOrdinalAddress
                                              TMethodImplementationIntercept30x4aefc0
                                              __dbk_fcall_wrapper20x40eb68
                                              dbkFCallWrapperAddr10x66663c

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishUnited States

                                              Network Behavior

                                              No network behavior found

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:04:25:49
                                              Start date:26/01/2025
                                              Path:C:\Users\user\Desktop\KgpiJLs58m.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\KgpiJLs58m.exe"
                                              Imagebase:0x400000
                                              File size:4'256'256 bytes
                                              MD5 hash:998CD2E474751B5DE344562B4DDB39E2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:Borland Delphi
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:1
                                              Start time:04:25:50
                                              Start date:26/01/2025
                                              Path:C:\temp\test\Autoit3.exe
                                              Wow64 process (32bit):true
                                              Commandline:"c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
                                              Imagebase:0xb60000
                                              File size:893'608 bytes
                                              MD5 hash:C56B5F0201A3B3DE53E561FE76912BFD
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:Borland Delphi
                                              Yara matches:
                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.1835519378.00000000047B1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000001.00000002.1835519378.0000000004818000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.1835049410.00000000045FC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000001.00000002.1835049410.00000000045FC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.1835400619.00000000046B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000001.00000002.1835400619.00000000046B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              Antivirus matches:
                                              • Detection: 3%, ReversingLabs
                                              • Detection: 4%, Virustotal, Browse
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:04:25:53
                                              Start date:26/01/2025
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:"c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\ccheffe\beecdga
                                              Imagebase:0x240000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:04:25:53
                                              Start date:26/01/2025
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:04:25:53
                                              Start date:26/01/2025
                                              Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                              Wow64 process (32bit):true
                                              Commandline:wmic ComputerSystem get domain
                                              Imagebase:0xb50000
                                              File size:427'008 bytes
                                              MD5 hash:E2DE6500DE1148C7F6027AD50AC8B891
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              Disassembly

                                              Reset < >