Edit tour

Windows Analysis Report
in.exe

Overview

General Information

Sample name:	in.exe
Analysis ID:	1609152
MD5:	ea3874838d38c5e9ee97748af1d561cb
SHA1:	18cd397a8f1a29585ac2c928fc7da346dae68e91
SHA256:	1ffa8b06cb779360f8c42ccd4527ae3076d25d11b3a90976f04ea430173e9b85
Tags:	darkgateexeuser-smica83
Infos:

Detection

DarkGate, MailPassView

Score:	72
Range:	0 - 100
Confidence:	100%

Signatures

Yara detected DarkGate

Yara detected MailPassView

Contains functionality to detect sleep reduction / modifications

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May check if the current machine is a sandbox (GetTickCount - Sleep)

OS version to string mapping found (often used in BOTs)

PE / OLE file has an invalid certificate

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the product ID of Windows

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

in.exe (PID: 7876 cmdline: "C:\Users\user\Desktop\in.exe" MD5: EA3874838D38C5E9EE97748AF1D561CB)

Autoit3.exe (PID: 7936 cmdline: "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x MD5: C56B5F0201A3B3DE53E561FE76912BFD)

cmd.exe (PID: 7984 cmdline: "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\dkhkhfh\ddekcba MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 8032 cmdline: wmic ComputerSystem get domain MD5: E2DE6500DE1148C7F6027AD50AC8B891)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkGate	First documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023.	No Attribution	https://0xtoxin.github.io/threat%20breakdown/DarkGate-Camapign-Analysis/ https://blog.sekoia.io/darkgate-internals/ https://blog.talosintelligence.com/darkgate-remote-template-injection/ https://cofense.com/blog/are-darkgate-and-pikabot-the-new-qakbot/ https://cybersecurity.att.com/blogs/security-essentials/darkgate-malware-delivered-via-microsoft-teams-detection-and-response	https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.1448972639.0000000004198000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
00000002.00000002.1448644940.0000000003F77000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000002.00000002.1448644940.0000000003F77000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
00000002.00000002.1448972639.0000000004131000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000002.00000002.1448813477.0000000004030000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000002.00000002.1448813477.0000000004030000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
Process Memory Space: Autoit3.exe PID: 7936	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: Autoit3.exe PID: 7936	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
Click to see the 3 entries

Code function: 2_2_00804632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

2_2_00804632

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_00804830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

2_2_00804830

Source: C:\temp\test\Autoit3.exe

2_2_00804632

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_0416B188 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

2_2_0416B188

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_007F0508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

2_2_007F0508

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_0081D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

2_2_0081D164

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_04163A74 CreateDesktopA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,WaitForSingleObject,

2_2_04163A74

Source: C:\temp\test\Autoit3.exe	Code function: 2_2_04184420 NtQueryObject,NtQueryObject,	2_2_04184420
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_04184478 NtOpenProcess,	2_2_04184478
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_041844C8 NtQuerySystemInformation,NtDuplicateObject,NtClose,NtClose,NtClose,NtClose,NtClose,NtClose,NtClose,	2_2_041844C8
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_0418476C Sleep,TerminateThread,NtClose,NtClose,	2_2_0418476C
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_041843EC NtDuplicateObject,NtClose,	2_2_041843EC
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_04162CF0 BeginPaint,SetBkMode,TextOutA,EndPaint,PostQuitMessage,NtdllDefWindowProc_A,	2_2_04162CF0
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_0415AF84 GetCurrentProcessId,OpenProcess,InitializeProcThreadAttributeList,GetProcessHeap,RtlAllocateHeap,InitializeProcThreadAttributeList,UpdateProcThreadAttribute,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,	2_2_0415AF84
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_0415B2A4 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,	2_2_0415B2A4

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_007F4254: CreateFileW,DeviceIoControl,CloseHandle,

2_2_007F4254

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_007E8F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

2_2_007E8F2E

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_007F5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

2_2_007F5778

Source: C:\Users\user\Desktop\in.exe	Code function: 0_3_06730672	0_3_06730672
Source: C:\Users\user\Desktop\in.exe	Code function: 0_3_066DD7DD	0_3_066DD7DD
Source: C:\Users\user\Desktop\in.exe	Code function: 0_3_066D74FB	0_3_066D74FB
Source: C:\Users\user\Desktop\in.exe	Code function: 0_3_066E85F7	0_3_066E85F7
Source: C:\Users\user\Desktop\in.exe	Code function: 0_3_066D12EC	0_3_066D12EC
Source: C:\Users\user\Desktop\in.exe	Code function: 0_3_066E2296	0_3_066E2296
Source: C:\Users\user\Desktop\in.exe	Code function: 0_3_066DBC0E	0_3_066DBC0E
Source: C:\Users\user\Desktop\in.exe	Code function: 0_3_066E6C1E	0_3_066E6C1E
Source: C:\Users\user\Desktop\in.exe	Code function: 0_3_06718A7C	0_3_06718A7C
Source: C:\Users\user\Desktop\in.exe	Code function: 0_3_0670E9EA	0_3_0670E9EA
Source: C:\Users\user\Desktop\in.exe	Code function: 0_3_066DC989	0_3_066DC989
Source: C:\Users\user\Desktop\in.exe	Code function: 0_3_06730672	0_3_06730672
Source: C:\Users\user\Desktop\in.exe	Code function: 0_3_066DD7DD	0_3_066DD7DD
Source: C:\Users\user\Desktop\in.exe	Code function: 0_3_066D74FB	0_3_066D74FB
Source: C:\Users\user\Desktop\in.exe	Code function: 0_3_066E85F7	0_3_066E85F7
Source: C:\Users\user\Desktop\in.exe	Code function: 0_3_066D12EC	0_3_066D12EC
Source: C:\Users\user\Desktop\in.exe	Code function: 0_3_066E2296	0_3_066E2296
Source: C:\Users\user\Desktop\in.exe	Code function: 0_3_066DBC0E	0_3_066DBC0E
Source: C:\Users\user\Desktop\in.exe	Code function: 0_3_066E6C1E	0_3_066E6C1E
Source: C:\Users\user\Desktop\in.exe	Code function: 0_3_06718A7C	0_3_06718A7C
Source: C:\Users\user\Desktop\in.exe	Code function: 0_3_0670E9EA	0_3_0670E9EA
Source: C:\Users\user\Desktop\in.exe	Code function: 0_3_066DC989	0_3_066DC989
Source: C:\Users\user\Desktop\in.exe	Code function: 0_2_048BA654	0_2_048BA654
Source: C:\Users\user\Desktop\in.exe	Code function: 0_2_048C466A	0_2_048C466A
Source: C:\Users\user\Desktop\in.exe	Code function: 0_2_048C6239	0_2_048C6239
Source: C:\Users\user\Desktop\in.exe	Code function: 0_2_048BA23C	0_2_048BA23C
Source: C:\Users\user\Desktop\in.exe	Code function: 0_2_048B63BC	0_2_048B63BC
Source: C:\Users\user\Desktop\in.exe	Code function: 0_2_048D2379	0_2_048D2379
Source: C:\Users\user\Desktop\in.exe	Code function: 0_2_048CACF2	0_2_048CACF2
Source: C:\Users\user\Desktop\in.exe	Code function: 0_2_048A6D84	0_2_048A6D84
Source: C:\Users\user\Desktop\in.exe	Code function: 0_2_048BAEBE	0_2_048BAEBE
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_0079B020	2_2_0079B020
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_00791663	2_2_00791663
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_00799C80	2_2_00799C80
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007B23F5	2_2_007B23F5
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_00818400	2_2_00818400
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007C6502	2_2_007C6502
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007C265E	2_2_007C265E
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_0079E6F0	2_2_0079E6F0
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007B282A	2_2_007B282A
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007C89BF	2_2_007C89BF
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007C6A74	2_2_007C6A74
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_00810A3A	2_2_00810A3A
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007A0BE0	2_2_007A0BE0
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007BCD51	2_2_007BCD51
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007EEDB2	2_2_007EEDB2
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_00810EB7	2_2_00810EB7
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007F8E44	2_2_007F8E44
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007C6FE6	2_2_007C6FE6
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007B33B7	2_2_007B33B7
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007AD45D	2_2_007AD45D
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007BF409	2_2_007BF409
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007994E0	2_2_007994E0
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007AF628	2_2_007AF628
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007B16B4	2_2_007B16B4
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_0079F6A0	2_2_0079F6A0
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007B78C3	2_2_007B78C3
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007B1BA8	2_2_007B1BA8
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007BDBA5	2_2_007BDBA5
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007C9CE5	2_2_007C9CE5
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007ADD28	2_2_007ADD28
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007BBFD6	2_2_007BBFD6
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007B1FC0	2_2_007B1FC0
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_04156438	2_2_04156438
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_0415A79C	2_2_0415A79C
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_0416EC00	2_2_0416EC00
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_0417B1B8	2_2_0417B1B8
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_04179BD0	2_2_04179BD0

Source: Joe Sandbox View

Dropped File: C:\temp\test\Autoit3.exe 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D

Source: C:\temp\test\Autoit3.exe	Code function: String function: 007B0D17 appears 70 times
Source: C:\temp\test\Autoit3.exe	Code function: String function: 007B8B30 appears 42 times
Source: C:\temp\test\Autoit3.exe	Code function: String function: 04134904 appears 92 times
Source: C:\temp\test\Autoit3.exe	Code function: String function: 04134394 appears 100 times
Source: C:\temp\test\Autoit3.exe	Code function: String function: 007A1A36 appears 34 times
Source: C:\temp\test\Autoit3.exe	Code function: String function: 04136980 appears 77 times
Source: C:\temp\test\Autoit3.exe	Code function: String function: 041621B8 appears 35 times
Source: C:\temp\test\Autoit3.exe	Code function: String function: 04134668 appears 47 times
Source: C:\Users\user\Desktop\in.exe	Code function: String function: 066E17A8 appears 50 times
Source: C:\Users\user\Desktop\in.exe	Code function: String function: 066D9BDD appears 36 times
Source: C:\Users\user\Desktop\in.exe	Code function: String function: 066D8768 appears 64 times

Source: in.exe

Static PE information: invalid certificate

Source: in.exe

Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: in.exe	Binary or memory string: OriginalFilename vs in.exe
Source: in.exe, 00000000.00000002.1403210914.0000000002B3C000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAutoIt3.exeB vs in.exe
Source: in.exe, 00000000.00000003.1400109742.0000000006774000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAutoIt3.exeB vs in.exe
Source: in.exe, 00000000.00000003.1399932274.0000000006853000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAutoIt3.exeB vs in.exe
Source: in.exe, 00000000.00000002.1405189984.000000000495C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAutoIt3.exeB vs in.exe

Source: in.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal72.troj.spyw.evad.winEXE@8/4@0/0

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_007FA6AD GetLastError,FormatMessageW,

2_2_007FA6AD

Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007E8DE9 AdjustTokenPrivileges,CloseHandle,		2_2_007E8DE9
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007E9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		2_2_007E9399

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_007FB976 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

2_2_007FB976

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_007F4148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

2_2_007F4148

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_007FC9DA CoInitialize,CoCreateInstance,CoUninitialize,

2_2_007FC9DA

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_007F443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

2_2_007F443D

Source: C:\temp\test\Autoit3.exe

File created: C:\Users\user\AppData\Roaming\ChbFbab

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7992:120:WilError_03

Source: C:\Users\user\Desktop\in.exe

File created: c:\temp\test

Jump to behavior

Source: C:\Users\user\Desktop\in.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\in.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: in.exe	String found in binary or memory: -Helper process exited with failure code: 0x%x
Source: in.exe	String found in binary or memory: -HelperRegisterTypeLibrary: StatusCode invalidU
Source: in.exe	String found in binary or memory: /InstallOnThisVersion: Invalid MinVersion string
Source: in.exe	String found in binary or memory: /LoadInf=

Source: C:\Users\user\Desktop\in.exe

File read: C:\Users\user\Desktop\in.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\in.exe "C:\Users\user\Desktop\in.exe"
Source: C:\Users\user\Desktop\in.exe	Process created: C:\temp\test\Autoit3.exe "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
Source: C:\temp\test\Autoit3.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\dkhkhfh\ddekcba
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domain
Source: C:\Users\user\Desktop\in.exe	Process created: C:\temp\test\Autoit3.exe "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\dkhkhfh\ddekcba	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domain	Jump to behavior

Source: C:\Users\user\Desktop\in.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: in.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: in.exe

Static file information: File size 4157976 > 1048576

Source: in.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x258200
Source: in.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x191200

Source: in.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_0080C6D9 LoadLibraryA,GetProcAddress,

2_2_0080C6D9

Source: in.exe

Static PE information: section name: .didata

Source: C:\Users\user\Desktop\in.exe	Code function: 0_3_066D87AD push ecx; ret	0_3_066D87C0
Source: C:\Users\user\Desktop\in.exe	Code function: 0_3_066B48C2 push esi; ret	0_3_066B48C5
Source: C:\Users\user\Desktop\in.exe	Code function: 0_3_066B48C2 push esi; ret	0_3_066B48C5
Source: C:\Users\user\Desktop\in.exe	Code function: 0_3_066D87AD push ecx; ret	0_3_066D87C0
Source: C:\Users\user\Desktop\in.exe	Code function: 0_3_066B48C2 push esi; ret	0_3_066B48C5
Source: C:\Users\user\Desktop\in.exe	Code function: 0_3_066B48C2 push esi; ret	0_3_066B48C5
Source: C:\Users\user\Desktop\in.exe	Code function: 0_2_04898540 push 04898607h; ret	0_2_048985FF
Source: C:\Users\user\Desktop\in.exe	Code function: 0_2_048984D0 push 048984FEh; ret	0_2_048984F6
Source: C:\Users\user\Desktop\in.exe	Code function: 0_2_048984D4 push 048984FEh; ret	0_2_048984F6
Source: C:\Users\user\Desktop\in.exe	Code function: 0_2_04898500 push 04898607h; ret	0_2_048985FF
Source: C:\Users\user\Desktop\in.exe	Code function: 0_2_0489474C push 0489479Dh; ret	0_2_04894795
Source: C:\Users\user\Desktop\in.exe	Code function: 0_2_04898090 push 0489820Ch; ret	0_2_04898204
Source: C:\Users\user\Desktop\in.exe	Code function: 0_2_0489820E push 0489827Fh; ret	0_2_04898277
Source: C:\Users\user\Desktop\in.exe	Code function: 0_2_04898210 push 0489827Fh; ret	0_2_04898277
Source: C:\Users\user\Desktop\in.exe	Code function: 0_2_04892C64 push eax; ret	0_2_04892CA0
Source: C:\Users\user\Desktop\in.exe	Code function: 0_2_04894D9C push 04894DC8h; ret	0_2_04894DC0
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007B8B75 push ecx; ret	2_2_007B8B88
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007ACBDB push eax; retf	2_2_007ACBF8
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007ACC06 push eax; retf	2_2_007ACBF8
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_0123D911 push 0123D962h; ret	2_2_0123D95A
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_0123B975 push eax; ret	2_2_0123B9B1
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_0123DB59 push 0123DB85h; ret	2_2_0123DB7D
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_0124138D push 012413FCh; ret	2_2_012413F4
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_0124138B push 012413FCh; ret	2_2_012413F4
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_0123DB91 push 0123DBBDh; ret	2_2_0123DBB5
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_0124120D push 01241389h; ret	2_2_01241381
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_01241AF9 push 01241B1Fh; ret	2_2_01241B17
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_0123EC11 push ecx; mov dword ptr [esp], eax	2_2_0123EC12
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_0123DCA1 push 0123DCCDh; ret	2_2_0123DCC5
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_0123DF59 push 0123DF85h; ret	2_2_0123DF7D
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_0123DED9 push 0123DF85h; ret	2_2_0123DF7D

Source: C:\Users\user\Desktop\in.exe

File created: C:\temp\test\Autoit3.exe

Jump to dropped file

Source: C:\temp\test\Autoit3.exe	Code function: 2_2_008159B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		2_2_008159B3
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007A5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		2_2_007A5EDA

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_007B33B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_007B33B7

Source: C:\Users\user\Desktop\in.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\in.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_0418C828

2_2_0418C828

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Autoit3.exe, Autoit3.exe, 00000002.00000002.1448644940.0000000003F77000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.1448972639.0000000004131000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.1448813477.0000000004030000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: SUPERANTISPYWARE.EXE

Source: C:\Users\user\Desktop\in.exe	API coverage: 6.5 %
Source: C:\temp\test\Autoit3.exe	API coverage: 5.2 %

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_0418C828

2_2_0418C828

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Domain FROM Win32_ComputerSystem

Source: C:\Users\user\Desktop\in.exe	Code function: 0_2_0489411C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_0489411C
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007F4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_007F4005
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007FC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_007FC2FF
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007F494A GetFileAttributesW,FindFirstFileW,FindClose,	2_2_007F494A
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007FCD14 FindFirstFileW,FindClose,	2_2_007FCD14
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007FCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_007FCD9F
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007FF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_007FF5D8
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007FF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_007FF735
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007FFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_007FFA36
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007F3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_007F3CE2
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_0418A584 FindFirstFileW,lstrcmpW,lstrcmpW,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FindNextFileW,FindClose,	2_2_0418A584
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_041389F4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	2_2_041389F4
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_04138AFC FindFirstFileA,GetLastError,	2_2_04138AFC
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_041831F8 FindFirstFileW,FindNextFileW,FindClose,	2_2_041831F8
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_04163D68 FindFirstFileW,FindNextFileW,FindClose,	2_2_04163D68
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_0414BD8C FindFirstFileA,FindNextFileA,FindClose,	2_2_0414BD8C
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_04135974 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	2_2_04135974
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_0418BA70 FindFirstFileW,FindNextFileW,FindClose,	2_2_0418BA70

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_007A5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

2_2_007A5D13

Source: Autoit3.exe, 00000002.00000002.1448813477.0000000004030000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Autoit3.exe, Autoit3.exe, 00000002.00000002.1448644940.0000000003F77000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.1448972639.0000000004131000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.1448813477.0000000004030000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: microsoft hyper-v video
Source: Autoit3.exe, 00000002.00000002.1447896691.000000000124B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?

Source: C:\temp\test\Autoit3.exe

API call chain: ExitProcess graph end node

graph_2-139827

Source: C:\temp\test\Autoit3.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_008045D5 BlockInput,

2_2_008045D5

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_007A5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

2_2_007A5240

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_007C5CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

2_2_007C5CAC

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_0080C6D9 LoadLibraryA,GetProcAddress,

2_2_0080C6D9

Source: C:\temp\test\Autoit3.exe	Code function: 2_2_01249EB6 mov eax, dword ptr fs:[00000030h]	2_2_01249EB6
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_0415A79C mov eax, dword ptr fs:[00000030h]	2_2_0415A79C
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_0415A79C mov eax, dword ptr fs:[00000030h]	2_2_0415A79C
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_041580A4 mov eax, dword ptr fs:[00000030h]	2_2_041580A4

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_007E88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

2_2_007E88CD

Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007BA354 SetUnhandledExceptionFilter,		2_2_007BA354
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_007BA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		2_2_007BA385

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_0415DCB8 CreateProcessA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,

2_2_0415DCB8

Contains functionality to inject threads in other processes

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_0415DCB8 CreateProcessA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,

2_2_0415DCB8

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_007E9369 LogonUserW,

2_2_007E9369

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_007A5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

2_2_007A5240

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_007F1AC6 SendInput,keybd_event,

2_2_007F1AC6

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_007F51E2 mouse_event,

2_2_007F51E2

Source: C:\Users\user\Desktop\in.exe	Process created: C:\temp\test\Autoit3.exe "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x	Jump to behavior
Source: C:\temp\test\Autoit3.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\dkhkhfh\ddekcba	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domain	Jump to behavior

Source: C:\temp\test\Autoit3.exe

2_2_007E88CD

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_007F4F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

2_2_007F4F1C

Source: in.exe, 00000000.00000002.1403210914.0000000002B2E000.00000040.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1400109742.0000000006766000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1399932274.0000000006845000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: in.exe, Autoit3.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\in.exe

Code function: 0_3_066D8493 cpuid

0_3_066D8493

Source: C:\Users\user\Desktop\in.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	0_2_048942F4
Source: C:\Users\user\Desktop\in.exe	Code function: GetLocaleInfoA,	0_2_048965A8
Source: C:\Users\user\Desktop\in.exe	Code function: GetLocaleInfoA,	0_2_048965F4
Source: C:\Users\user\Desktop\in.exe	Code function: GetLocaleInfoA,	0_2_048946D8
Source: C:\Users\user\Desktop\in.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	0_2_048943FF
Source: C:\temp\test\Autoit3.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	2_2_0123D48D
Source: C:\temp\test\Autoit3.exe	Code function: GetLocaleInfoA,	2_2_0123D89D
Source: C:\temp\test\Autoit3.exe	Code function: GetLocaleInfoA,	2_2_012408C9
Source: C:\temp\test\Autoit3.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	2_2_0123D597
Source: C:\temp\test\Autoit3.exe	Code function: GetLocaleInfoA,	2_2_0123F771
Source: C:\temp\test\Autoit3.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	2_2_04135B4C
Source: C:\temp\test\Autoit3.exe	Code function: GetLocaleInfoA,	2_2_04136470
Source: C:\temp\test\Autoit3.exe	Code function: GetLocaleInfoA,GetACP,	2_2_0413CC88
Source: C:\temp\test\Autoit3.exe	Code function: GetLocaleInfoA,	2_2_0413B620
Source: C:\temp\test\Autoit3.exe	Code function: GetLocaleInfoA,	2_2_0413B66C
Source: C:\temp\test\Autoit3.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	2_2_04135C56

Source: C:\temp\test\Autoit3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\temp\test\Autoit3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\temp\test\Autoit3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID			Jump to behavior
Source: C:\temp\test\Autoit3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID			Jump to behavior

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_007D0030 GetLocalTime,__swprintf,

2_2_007D0030

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_007D0722 GetUserNameW,

2_2_007D0722

Source: C:\temp\test\Autoit3.exe

Code function: 2_2_007C416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

2_2_007C416A

Source: C:\Users\user\Desktop\in.exe

Code function: 0_2_048947A1 GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,

0_2_048947A1

Source: Autoit3.exe, Autoit3.exe, 00000002.00000002.1448644940.0000000003F77000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.1448972639.0000000004131000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.1448813477.0000000004030000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: Autoit3.exe, Autoit3.exe, 00000002.00000002.1448644940.0000000003F77000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.1448972639.0000000004131000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.1448813477.0000000004030000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: superantispyware.exe

Stealing of Sensitive Information

Yara detected DarkGate

Source: Yara match	File source: 00000002.00000002.1448972639.0000000004198000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1448644940.0000000003F77000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1448813477.0000000004030000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Autoit3.exe PID: 7936, type: MEMORYSTR

Yara detected MailPassView

Source: Yara match	File source: 00000002.00000002.1448644940.0000000003F77000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1448972639.0000000004131000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1448813477.0000000004030000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Autoit3.exe PID: 7936, type: MEMORYSTR

Source: Autoit3.exe	Binary or memory string: WIN_81
Source: Autoit3.exe	Binary or memory string: WIN_XP
Source: Autoit3.exe	Binary or memory string: WIN_XPe
Source: Autoit3.exe	Binary or memory string: WIN_VISTA
Source: Autoit3.exe	Binary or memory string: WIN_7
Source: Autoit3.exe	Binary or memory string: WIN_8
Source: Autoit3.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected DarkGate

Source: Yara match	File source: 00000002.00000002.1448972639.0000000004198000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1448644940.0000000003F77000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1448813477.0000000004030000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Autoit3.exe PID: 7936, type: MEMORYSTR

Source: C:\temp\test\Autoit3.exe	Code function: 2_2_0080696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	2_2_0080696E
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_00806E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_00806E32
Source: C:\temp\test\Autoit3.exe	Code function: 2_2_0414CCB4 bind,	2_2_0414CCB4

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 Create Account	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	55 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	261 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
in.exe	4%	Virustotal		Browse
in.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\temp\test\Autoit3.exe	3%	ReversingLabs
C:\temp\test\Autoit3.exe	4%	Virustotal		Browse

Name	Source	Malicious	Reputation
http://www.innosetup.com/	in.exe	false	high
http://www.autoitscript.com/autoit3/J	in.exe, 00000000.00000002.1403210914.0000000002B3C000.00000040.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1400109742.0000000006774000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1399932274.0000000006853000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1405189984.000000000495C000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.1447353658.0000000000859000.00000002.00000001.01000000.00000004.sdmp, Autoit3.exe.0.dr	false	high
http://ipinfo.io/ip	Autoit3.exe, Autoit3.exe, 00000002.00000002.1448644940.0000000003F77000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.1448972639.0000000004131000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.1448813477.0000000004030000.00000004.00001000.00020000.00000000.sdmp	false	high
http://www.autoitscript.com/autoit3/	in.exe	false	high
http://www.remobjects.com/ps	in.exe	false	high
https://mail.google.com/mail/u/0/#inbox	Autoit3.exe, 00000002.00000002.1448813477.0000000004030000.00000004.00001000.00020000.00000000.sdmp	false	high
https://www.autoitscript.com/autoit3/	in.exe, 00000000.00000002.1403210914.0000000002B3C000.00000040.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1400109742.0000000006774000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1399932274.0000000006853000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1405189984.000000000495C000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	false	high
http://ipinfo.io/ipU	Autoit3.exe, 00000002.00000002.1448644940.0000000003F77000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.1448972639.0000000004131000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.1448813477.0000000004030000.00000004.00001000.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1609152
Start date and time:	2025-02-07 11:38:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	in.exe
Detection:	MAL
Classification:	mal72.troj.spyw.evad.winEXE@8/4@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 116 Number of non-executed functions: 263
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
05:39:13	API Interceptor	1x Sleep call for process: WMIC.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\temp\test\Autoit3.exe	KgpiJLs58m.exe	Get hash	malicious	DarkGate, MailPassView	Browse
	KgpiJLs58m.exe	Get hash	malicious	DarkGate, MailPassView	Browse
	Notion Setup 4.3.0 (4).exe	Get hash	malicious	DarkGate, MailPassView	Browse
	Notion Setup 4.3.0 (4).exe	Get hash	malicious	DarkGate, MailPassView	Browse
	JiH0aUfOU6.exe	Get hash	malicious	Unknown	Browse
	JiH0aUfOU6.exe	Get hash	malicious	Unknown	Browse
	2YLM6BQ9S3.exe	Get hash	malicious	RedLine	Browse
	sEOELQpFOB.lnk	Get hash	malicious	RedLine	Browse
	ref095vq842r70_classement_atout_france.pdf.lnk.d.lnk	Get hash	malicious	RedLine, SectopRAT	Browse
	payload_1.hta	Get hash	malicious	RedLine	Browse

Created / dropped Files

C:\ProgramData\dkhkhfh\ddekcba

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	2.9625983186791407
Encrypted:	false
SSDEEP:	3:Qh9eolFl+VlSSXAn:Q7eY+qnn
MD5:	A427A480A98C668EBFAD0F62CF196EA4
SHA1:	56747983CD0DE7C58565BA381ADCA759386896DF
SHA-256:	1CD3EFE0E43DBD601ADC7C852550394E430EDE2F7B09C3D6C46F294F075693D4
SHA-512:	0975E4DF44A56453A77FFEF430A06DB2A8A9198888CECCDB8434BB09EBA68D1042BEC245D670C75E5453638336112EA4ABA221F1A5B894760A170262F5901223
Malicious:	false
Reputation:	low
Preview:	..D.o.m.a.i.n. . .....x.p.w.e.8. . . .....

C:\Users\user\AppData\Roaming\ChbFbab

Download File

Process:	C:\temp\test\Autoit3.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.676108500731241
Encrypted:	false
SSDEEP:	3:PonkjGAEOWhnn:PAsGAEOWFn
MD5:	0672DC707F1A6B410D2CB59005FB563C
SHA1:	593AC07FD314A428B1F19B048F0DC55DFE8719E3
SHA-256:	DD8C268D6E620B506F92184731164DBBF4DAC8C7DACFE26C8A4C62399F59D7CC
SHA-512:	52B7ABBCE86FE868502E114683B57F5CB367DE6D5F7F4B8FE5370FF47A5B1D0A497075289D74D765003777F78A07ECFA96E60594080E0FEE29E9EAF6C73DE2D7
Malicious:	false
Reputation:	low
Preview:	BKEDDbehEGAbfHHdKFeaAbEcEeeDBDEG

C:\temp\test\Autoit3.exe

Download File

Process:	C:\Users\user\Desktop\in.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	893608
Entropy (8bit):	6.620131693023677
Encrypted:	false
SSDEEP:	12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
MD5:	C56B5F0201A3B3DE53E561FE76912BFD
SHA1:	2A4062E10A5DE813F5688221DBEB3F3FF33EB417
SHA-256:	237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
SHA-512:	195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3% Antivirus: Virustotal, Detection: 4%, Browse
Joe Sandbox View:	Filename: KgpiJLs58m.exe, Detection: malicious, Browse Filename: KgpiJLs58m.exe, Detection: malicious, Browse Filename: Notion Setup 4.3.0 (4).exe, Detection: malicious, Browse Filename: Notion Setup 4.3.0 (4).exe, Detection: malicious, Browse Filename: JiH0aUfOU6.exe, Detection: malicious, Browse Filename: JiH0aUfOU6.exe, Detection: malicious, Browse Filename: 2YLM6BQ9S3.exe, Detection: malicious, Browse Filename: sEOELQpFOB.lnk, Detection: malicious, Browse Filename: ref095vq842r70_classement_atout_france.pdf.lnk.d.lnk, Detection: malicious, Browse Filename: payload_1.hta, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\temp\test\script.a3x

Download File

Process:	C:\Users\user\Desktop\in.exe
File Type:	data
Category:	dropped
Size (bytes):	596068
Entropy (8bit):	7.046002869734329
Encrypted:	false
SSDEEP:	12288:8ndundYUg4RXhXw2NyGOhxpLP0bIlixpA5pqSuYb:w2YTYGGOPpLP5Ex4DR
MD5:	00827B8CDDBA776D6F1EFE6CCBEE5BA8
SHA1:	F95C000F3B75114A3C718D4F25A746B3D447320E
SHA-256:	28DE3DE19D2710510CFF515E3FED683105BA1DA0F644961F0A499B8F610E22C8
SHA-512:	88FD8750E47FBCC847BF61A3932435FF35520EDE61E211AF6DC070D218CEF7DAC552E0979DA84CDD4561C0E182EA3F62AD8D806040FD7D0E9C1B45F88CF3D36F
Malicious:	false
Preview:	C:j...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................C:j.....................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.190777590447857
TrID:	Win32 Executable (generic) a (10002005/4) 98.88% Inno Setup installer (109748/4) 1.08% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	in.exe
File size:	4'157'976 bytes
MD5:	ea3874838d38c5e9ee97748af1d561cb
SHA1:	18cd397a8f1a29585ac2c928fc7da346dae68e91
SHA256:	1ffa8b06cb779360f8c42ccd4527ae3076d25d11b3a90976f04ea430173e9b85
SHA512:	5f438ab1aeb39dbbb61a825cc6dab21f7420d56c593c80dd4919e9f19bb82aed6856db5b2997bfc0e91249935d1a347d9b0a8a7563ab27cdfeec00d8c69829c1
SSDEEP:	49152:aR/KpmZubwf2S8W2ILeWl+C1p9jWy5Snd0eigX+lluBLflz0Lk/rfSxnN3Tz64IB:8/jeYLP1Sy5E0Yplz0Lk/INXUraBA/h
TLSH:	4E169E1ABB58B03EE0BB173385378A505537FE617922CC9A67F0398C4F795D03B6A612
File Content Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	e88c97b3a2938e61

Static PE Info

General

Entrypoint:	0x65c4a4
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5EC61809 [Thu May 21 05:56:25 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	16c8c7a62c852018ed02e453e144c998

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
Error Number:	-2146762495
Not Before, Not After	24/12/2024 15:35:01 25/12/2025 15:35:01
Subject Chain	CN=Technic AS Plus Inc., O=Technic AS Plus Inc., STREET=5240 Loyola Saint-Leonard, L=Montreal, S=Quebec, C=CA, OID.1.3.6.1.4.1.311.60.2.1.3=CA, SERIALNUMBER=920816-0, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	E27B570CC7EDFA7EC19B06773E1247A6
Thumbprint SHA-1:	F8E657AB86105C880CACACC939661F85E24769AF
Thumbprint SHA-256:	A516C53272112BC732B6880AAAEBD59370D0C1CF5D646F1D921FAAFCF86366DB
Serial:	4BC418BDB4B1330B041BE689

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
push ebx
push esi
push edi
mov eax, 00651408h
call 00007F74D08E9052h
mov eax, dword ptr [00662788h]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+00000188h]
push FFFFFFECh
push eax
call 00007F74D08ED0B1h
mov edx, dword ptr [00662788h]
mov edx, dword ptr [edx]
mov edx, dword ptr [edx+00000188h]
and eax, FFFFFF7Fh
push eax
push FFFFFFECh
push edx
call 00007F74D08ED09Dh
xor eax, eax
push ebp
push 0065C528h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
push 00000001h
call 00007F74D08EC408h
call 00007F74D0B2B4E3h
mov eax, dword ptr [00651030h]
push eax
push 006510C8h
mov eax, dword ptr [00662788h]
mov eax, dword ptr [eax]
call 00007F74D0A7D288h
call 00007F74D0B2B537h
xor eax, eax
pop edx
pop ecx
pop ecx
mov dword ptr fs:[eax], edx
jmp 00007F74D0B3688Bh
jmp 00007F74D08E1DC8h
call 00007F74D0B2B27Fh
mov eax, 00000001h
call 00007F74D08E28B1h
call 00007F74D08E220Ch
mov eax, dword ptr [00662788h]
mov eax, dword ptr [eax]
mov edx, 0065C6BCh
call 00007F74D0A7CD5Fh
push 00000005h
mov eax, dword ptr [00662788h]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+00000188h]
push eax
call 00007F74D08ECDC6h
mov eax, dword ptr [00662788h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x270000	0x97	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x26b000	0x35d8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x273000	0x1911c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x3f6000	0x1218	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x272000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x26b94c	0x848	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x26f000	0x9ee	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2581fc	0x258200	d522cd1a0afeaa9ef5024789e19cc2ef	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x25a000	0x26c8	0x2800	367bc90dd8be7c6a1056ad2a82281084	False	0.503125	data	6.119631643767066	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x25d000	0x5a64	0x5c00	c20c3606951695cd5626a53022531398	False	0.40281080163043476	data	5.055173307610014	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x263000	0x780c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x26b000	0x35d8	0x3600	6cbfeeac8d17ca3b356e9c16e6f19fc1	False	0.33622685185185186	data	5.280395234482991	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x26f000	0x9ee	0xa00	2726dff14c86e88d2aaa4303cf2dc681	False	0.36328125	data	4.360393246158077	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x270000	0x97	0x200	8c377a4128fcc7899b263e28899a337b	False	0.251953125	data	1.7456444612923019	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x271000	0x44	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x272000	0x5d	0x200	549e425037fe57817fc75df38c52f354	False	0.189453125	data	1.4022224415966043	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x273000	0x1911c8	0x191200	472d071e032c00d4d0da44d6fa14133d	False	0.75464635595201	data	7.815757913596491	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PHPKTEMTUM5HYZG62F48E7CWQ9UV	0x273dd0	0x177408	data			0.7441139221191406
RT_CURSOR	0x3eb1d8	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x3eb30c	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x3eb440	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x3eb574	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x3eb6a8	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x3eb7dc	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x3eb910	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_BITMAP	0x3eba44	0xd28	Device independent bitmap graphic, 48 x 48 x 8, image size 0, resolution 3780 x 3780 px/m, 256 important colors			0.16508313539192399
RT_BITMAP	0x3ec76c	0x32a	Device independent bitmap graphic, 16 x 16 x 24, image size 770, resolution 3779 x 3779 px/m			0.2074074074074074
RT_ICON	0x3eca98	0x4902	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9955056179775281
RT_ICON	0x3f139c	0x173d	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced	English	United States	0.9887376029584805
RT_ICON	0x3f2adc	0xf46	PNG image data, 96 x 96, 8-bit/color RGBA, non-interlaced	English	United States	1.0028132992327365
RT_ICON	0x3f3a24	0xa52	PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced	English	United States	1.0041635124905375
RT_ICON	0x3f4478	0x926	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0046968403074295
RT_ICON	0x3f4da0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600, resolution 3780 x 3780 px/m	English	United States	0.17645228215767636
RT_ICON	0x3f7348	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224, resolution 3780 x 3780 px/m	English	United States	0.24812382739212008
RT_ICON	0x3f83f0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400, resolution 3780 x 3780 px/m	English	United States	0.3073770491803279
RT_ICON	0x3f8d78	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088, resolution 3780 x 3780 px/m	English	United States	0.42819148936170215
RT_STRING	0x3f91e0	0x6c	data			0.6018518518518519
RT_STRING	0x3f924c	0x250	data			0.46790540540540543
RT_STRING	0x3f949c	0x204	data			0.46705426356589147
RT_STRING	0x3f96a0	0x3ec	data			0.3894422310756972
RT_STRING	0x3f9a8c	0x410	data			0.41634615384615387
RT_STRING	0x3f9e9c	0x160	data			0.59375
RT_STRING	0x3f9ffc	0xd0	data			0.6778846153846154
RT_STRING	0x3fa0cc	0x2f4	data			0.43253968253968256
RT_STRING	0x3fa3c0	0x3fc	data			0.37941176470588234
RT_STRING	0x3fa7bc	0x49c	data			0.35338983050847456
RT_STRING	0x3fac58	0x29c	data			0.31736526946107785
RT_STRING	0x3faef4	0x3f0	data			0.43154761904761907
RT_STRING	0x3fb2e4	0x438	data			0.3731481481481482
RT_STRING	0x3fb71c	0x3ac	data			0.3861702127659574
RT_STRING	0x3fbac8	0x404	data			0.3764591439688716
RT_STRING	0x3fbecc	0x2ac	data			0.38742690058479534
RT_STRING	0x3fc178	0xb8	data			0.657608695652174
RT_STRING	0x3fc230	0xd0	data			0.6201923076923077
RT_STRING	0x3fc300	0x354	data			0.4284037558685446
RT_STRING	0x3fc654	0x3ac	data			0.3425531914893617
RT_STRING	0x3fca00	0x354	data			0.3826291079812207
RT_STRING	0x3fcd54	0x2c0	data			0.41051136363636365
RT_RCDATA	0x3fd014	0x10	data			1.5
RT_RCDATA	0x3fd024	0x1800	PE32+ executable (console) x86-64, for MS Windows	English	United States	0.3924153645833333
RT_RCDATA	0x3fe824	0xac4	data			0.5446298984034833
RT_RCDATA	0x3ff2e8	0x147	Delphi compiled form 'TMainForm'			0.746177370030581
RT_RCDATA	0x3ff430	0x480	Delphi compiled form 'TNewDiskForm'			0.5034722222222222
RT_RCDATA	0x3ff8b0	0x400	Delphi compiled form 'TSelectFolderForm'			0.5087890625
RT_RCDATA	0x3ffcb0	0x4b5	Delphi compiled form 'TSelectLanguageForm'			0.5004149377593361
RT_RCDATA	0x400168	0x7ff	Delphi compiled form 'TUninstallProgressForm'			0.4054714215925745
RT_RCDATA	0x400968	0x55c	Delphi compiled form 'TUninstSharedFileForm'			0.41690962099125367
RT_RCDATA	0x400ec4	0x2ac9	Delphi compiled form 'TWizardForm'			0.19811923673879303
RT_GROUP_CURSOR	0x403990	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x4039a4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x4039b8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x4039cc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x4039e0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x4039f4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x403a08	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x403a1c	0x84	data	English	United States	0.7196969696969697
RT_MANIFEST	0x403aa0	0x726	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4005464480874317

Imports

DLL	Import
mpr.dll	WNetEnumResourceW, WNetGetUniversalNameW, WNetGetConnectionW, WNetCloseEnum, WNetOpenEnumW
comdlg32.dll	GetSaveFileNameW, GetOpenFileNameW
comctl32.dll	FlatSB_SetScrollInfo, InitCommonControls, ImageList_DragMove, ImageList_Destroy, _TrackMouseEvent, ImageList_DragShowNolock, ImageList_Add, FlatSB_SetScrollProp, ImageList_GetDragImage, ImageList_Create, ImageList_EndDrag, ImageList_DrawEx, ImageList_SetImageCount, FlatSB_GetScrollPos, FlatSB_SetScrollPos, InitializeFlatSB, FlatSB_GetScrollInfo, ImageList_Write, ImageList_SetBkColor, ImageList_GetBkColor, ImageList_BeginDrag, ImageList_GetIcon, ImageList_GetImageCount, ImageList_DragEnter, ImageList_GetIconSize, ImageList_SetIconSize, ImageList_Read, ImageList_DragLeave, ImageList_Draw, ImageList_Remove
shell32.dll	SHBrowseForFolderW, ExtractIconW, SHGetMalloc, SHGetFileInfoW, SHChangeNotify, Shell_NotifyIconW, ShellExecuteW, SHGetPathFromIDListW, ShellExecuteExW
user32.dll	CopyImage, CreateWindowExW, GetMenuItemInfoW, SetMenuItemInfoW, DefFrameProcW, GetDCEx, GetMessageW, PeekMessageW, MonitorFromWindow, GetDlgCtrlID, ScrollWindowEx, SetTimer, WindowFromPoint, BeginPaint, RegisterClipboardFormatW, FrameRect, MapVirtualKeyW, OffsetRect, IsWindowUnicode, RegisterWindowMessageW, FillRect, GetMenuStringW, DispatchMessageW, SendMessageA, DefMDIChildProcW, EnumWindows, GetClassInfoW, GetSystemMenu, WaitForInputIdle, ShowOwnedPopups, GetScrollRange, GetScrollPos, SetScrollPos, GetActiveWindow, SetActiveWindow, DrawEdge, InflateRect, GetKeyboardLayoutList, OemToCharBuffA, LoadBitmapW, DrawFocusRect, EnumChildWindows, GetScrollBarInfo, SendNotifyMessageW, ReleaseCapture, UnhookWindowsHookEx, LoadCursorW, GetCapture, SetCapture, CreatePopupMenu, ScrollWindow, ShowCaret, GetMenuItemID, GetLastActivePopup, CharLowerBuffW, GetSystemMetrics, SetWindowLongW, PostMessageW, DrawMenuBar, SetParent, IsZoomed, CharUpperBuffW, GetClientRect, IsChild, ClientToScreen, SetWindowPlacement, IsIconic, CallNextHookEx, GetMonitorInfoW, ShowWindow, CheckMenuItem, CharUpperW, DefWindowProcW, GetForegroundWindow, SetForegroundWindow, GetWindowTextW, EnableWindow, DestroyWindow, IsDialogMessageW, EndMenu, RegisterClassW, CharNextW, GetWindowThreadProcessId, RedrawWindow, GetDC, GetFocus, SetFocus, EndPaint, ExitWindowsEx, ReleaseDC, MsgWaitForMultipleObjectsEx, LoadKeyboardLayoutW, GetClassLongW, ActivateKeyboardLayout, GetParent, CharToOemBuffA, DrawTextW, SetScrollRange, InsertMenuItemW, PeekMessageA, GetPropW, SetClassLongW, MessageBoxW, MessageBeep, SetPropW, SetRectEmpty, UpdateWindow, RemovePropW, GetSubMenu, MsgWaitForMultipleObjects, DestroyMenu, DestroyIcon, SetWindowsHookExW, IsWindowVisible, DispatchMessageA, UnregisterClassW, GetTopWindow, SendMessageW, AdjustWindowRectEx, DrawIcon, IsWindow, EnumThreadWindows, InvalidateRect, GetKeyboardState, DrawFrameControl, ScreenToClient, SendMessageTimeoutW, BringWindowToTop, SetCursor, CreateIcon, CreateMenu, LoadStringW, CharLowerW, SetWindowPos, SetWindowRgn, GetMenuItemCount, RemoveMenu, AppendMenuW, GetSysColorBrush, GetKeyboardLayoutNameW, GetWindowDC, TranslateMessage, DrawTextExW, MapWindowPoints, EnumDisplayMonitors, CallWindowProcW, DestroyCursor, ReplyMessage, GetScrollInfo, SetWindowTextW, GetMessageExtraInfo, EnableScrollBar, GetSysColor, TrackPopupMenu, DrawIconEx, PostQuitMessage, GetClassNameW, ShowScrollBar, EnableMenuItem, GetIconInfo, GetMessagePos, SetScrollInfo, GetKeyNameTextW, GetDesktopWindow, GetCursorPos, SetCursorPos, HideCaret, GetMenu, GetMenuState, SetMenu, SetRect, GetKeyState, FindWindowExW, MonitorFromPoint, SystemParametersInfoW, LoadIconW, GetCursor, GetWindow, GetWindowLongW, GetWindowRect, InsertMenuW, KillTimer, WaitMessage, IsWindowEnabled, IsDialogMessageA, TranslateMDISysAccel, GetWindowPlacement, FindWindowW, DeleteMenu, GetKeyboardLayout
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
oleaut32.dll	SafeArrayPutElement, LoadTypeLib, GetErrorInfo, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, SafeArrayCreate, SafeArrayGetElement, GetActiveObject, SysAllocStringLen, SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, VariantCopy, RegisterTypeLib, VariantChangeType, VariantCopyInd
advapi32.dll	RegSetValueExW, RegEnumKeyExW, AdjustTokenPrivileges, OpenThreadToken, GetUserNameW, RegDeleteKeyW, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegQueryInfoKeyW, AllocateAndInitializeSid, FreeSid, EqualSid, RegDeleteValueW, RegFlushKey, RegQueryValueExW, RegEnumValueW, GetTokenInformation, InitializeSecurityDescriptor, RegCloseKey, RegCreateKeyExW, SetSecurityDescriptorDacl
netapi32.dll	NetWkstaGetInfo, NetApiBufferFree
kernel32.dll	SetFileAttributesW, SetFileTime, GetACP, GetExitCodeProcess, IsBadWritePtr, CloseHandle, LocalFree, GetCurrentProcessId, SizeofResource, VirtualProtect, QueryPerformanceFrequency, FindNextFileW, GetFullPathNameW, VirtualFree, ExitProcess, HeapAlloc, WriteProfileStringW, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, FileTimeToLocalFileTime, GetModuleHandleW, FreeLibrary, HeapDestroy, CompareFileTime, ReadFile, CreateProcessW, TransactNamedPipe, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, OpenMutexW, CreateThread, CompareStringW, CopyFileW, CreateMutexW, LoadLibraryA, ResetEvent, MulDiv, FreeResource, GetDriveTypeW, GetVersion, RaiseException, MoveFileW, GlobalAddAtomW, GetSystemTimeAsFileTime, FormatMessageW, OpenProcess, SwitchToThread, GetExitCodeThread, GetCurrentThread, GetLogicalDrives, LocalFileTimeToFileTime, SetNamedPipeHandleState, LoadLibraryExW, TerminateProcess, LockResource, FileTimeToSystemTime, GetShortPathNameW, GetCurrentThreadId, UnhandledExceptionFilter, MoveFileExW, VirtualQuery, GlobalFindAtomW, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, ReleaseMutex, FlushFileBuffers, LoadResource, SuspendThread, GetTickCount, WritePrivateProfileStringW, GetFileSize, GetStartupInfoW, GlobalDeleteAtom, GetFileAttributesW, GetCurrentDirectoryW, SetCurrentDirectoryW, InitializeCriticalSection, GetThreadPriority, GetCurrentProcess, SetThreadPriority, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, DeviceIoControl, GetDiskFreeSpaceW, VerSetConditionMask, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, lstrcmpW, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetEnvironmentVariableW, GetLocalTime, WaitForSingleObject, WriteFile, CreateNamedPipeW, ExitThread, DeleteCriticalSection, GetDateFormatW, TlsGetValue, SetErrorMode, GetComputerNameW, IsValidLocale, TlsSetValue, CreateDirectoryW, GetOverlappedResult, GetSystemDefaultUILanguage, EnumCalendarInfoW, GetProfileStringW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, IsDBCSLeadByte, CreateEventW, GetPrivateProfileStringW, WaitForMultipleObjectsEx, GetThreadLocale, SetThreadLocale
ole32.dll	StgCreateDocfileOnILockBytes, CoCreateInstance, CLSIDFromString, CoUninitialize, IsEqualGUID, OleInitialize, CoFreeUnusedLibraries, CreateILockBytesOnHGlobal, CLSIDFromProgID, OleUninitialize, CoDisconnectObject, CoInitialize, CoTaskMemFree, CoTaskMemAlloc, StringFromCLSID
gdi32.dll	Arc, Pie, SetBkMode, SelectPalette, CreateCompatibleBitmap, ExcludeClipRect, RectVisible, SetWindowOrgEx, MaskBlt, AngleArc, Chord, SetTextColor, StretchBlt, SetDIBits, SetViewportOrgEx, CreateRectRgn, RealizePalette, SetDIBColorTable, GetDIBColorTable, RoundRect, RestoreDC, SetRectRgn, GetTextMetricsW, RemoveFontResourceW, GetWindowOrgEx, CreatePalette, CreateBrushIndirect, PatBlt, LineDDA, PolyBezierTo, GetStockObject, CreateSolidBrush, Polygon, Rectangle, MoveToEx, DeleteDC, SaveDC, BitBlt, Ellipse, FrameRgn, GetDeviceCaps, GetBitmapBits, GetTextExtentPoint32W, GetClipBox, Polyline, IntersectClipRect, GetSystemPaletteEntries, CreateBitmap, AddFontResourceW, CreateDIBitmap, GetStretchBltMode, CreateDIBSection, CreatePenIndirect, SetStretchBltMode, GetDIBits, CreateFontIndirectW, PolyBezier, LineTo, GetRgnBox, EnumFontsW, CreateHalftonePalette, DeleteObject, SelectObject, ExtFloodFill, UnrealizeObject, SetBkColor, CreateCompatibleDC, GetObjectW, GetBrushOrgEx, GetCurrentPositionEx, SetROP2, GetTextExtentPointW, ExtTextOutW, SetBrushOrgEx, GetPixel, ArcTo, GdiFlush, SetPixel, EnumFontFamiliesExW, GetPaletteEntries

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x4aefc0
__dbk_fcall_wrapper	2	0x40eb68
dbkFCallWrapperAddr	1	0x66663c

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	05:39:09
Start date:	07/02/2025
Path:	C:\Users\user\Desktop\in.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\in.exe"
Imagebase:	0x400000
File size:	4'157'976 bytes
MD5 hash:	EA3874838D38C5E9EE97748AF1D561CB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:39:10
Start date:	07/02/2025
Path:	C:\temp\test\Autoit3.exe
Wow64 process (32bit):	true
Commandline:	"c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
Imagebase:	0x790000
File size:	893'608 bytes
MD5 hash:	C56B5F0201A3B3DE53E561FE76912BFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000002.00000002.1448972639.0000000004198000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000002.1448644940.0000000003F77000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000002.00000002.1448644940.0000000003F77000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000002.1448972639.0000000004131000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000002.1448813477.0000000004030000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000002.00000002.1448813477.0000000004030000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 3%, ReversingLabs Detection: 4%, Virustotal, Browse
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:39:12
Start date:	07/02/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\dkhkhfh\ddekcba
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:39:12
Start date:	07/02/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:39:12
Start date:	07/02/2025
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic ComputerSystem get domain
Imagebase:	0x50000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Source: in.exe	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: in.exe, 00000000.00000002.1403210914.0000000002B3C000.00000040.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1400109742.0000000006774000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1399932274.0000000006853000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1405189984.000000000495C000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: in.exe, 00000000.00000002.1403210914.0000000002B3C000.00000040.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1400109742.0000000006774000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1399932274.0000000006853000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1405189984.000000000495C000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: in.exe	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: in.exe, 00000000.00000002.1403210914.0000000002B3C000.00000040.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1400109742.0000000006774000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1399932274.0000000006853000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1405189984.000000000495C000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: in.exe, 00000000.00000002.1407285255.000000000678A000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1403210914.0000000002B3C000.00000040.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1400109742.0000000006774000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1399932274.0000000006853000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1405189984.000000000495C000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: Autoit3.exe, Autoit3.exe, 00000002.00000002.1448644940.0000000003F77000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.1448972639.0000000004131000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.1448813477.0000000004030000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ipinfo.io/ip
Source: Autoit3.exe, 00000002.00000002.1448644940.0000000003F77000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.1448972639.0000000004131000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.1448813477.0000000004030000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ipinfo.io/ipU
Source: in.exe	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: in.exe	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: in.exe, 00000000.00000002.1403210914.0000000002B3C000.00000040.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1400109742.0000000006774000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1399932274.0000000006853000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1405189984.000000000495C000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: in.exe, 00000000.00000002.1403210914.0000000002B3C000.00000040.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1400109742.0000000006774000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1399932274.0000000006853000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1405189984.000000000495C000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: in.exe, 00000000.00000002.1403210914.0000000002B3C000.00000040.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1400109742.0000000006774000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1399932274.0000000006853000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1405189984.000000000495C000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: in.exe	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: in.exe, 00000000.00000002.1403210914.0000000002B3C000.00000040.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1400109742.0000000006774000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1399932274.0000000006853000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1405189984.000000000495C000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: in.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: in.exe, 00000000.00000002.1403210914.0000000002B3C000.00000040.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1400109742.0000000006774000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1399932274.0000000006853000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1405189984.000000000495C000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: in.exe	String found in binary or memory: http://www.autoitscript.com/autoit3/
Source: in.exe, 00000000.00000002.1403210914.0000000002B3C000.00000040.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1400109742.0000000006774000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1399932274.0000000006853000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1405189984.000000000495C000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000002.00000002.1447353658.0000000000859000.00000002.00000001.01000000.00000004.sdmp, Autoit3.exe.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: in.exe	String found in binary or memory: http://www.innosetup.com/
Source: in.exe	String found in binary or memory: http://www.remobjects.com/ps
Source: Autoit3.exe, 00000002.00000002.1448813477.0000000004030000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/u/0/#inbox
Source: in.exe, 00000000.00000002.1403210914.0000000002B3C000.00000040.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1400109742.0000000006774000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1399932274.0000000006853000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1405189984.000000000495C000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Autoit3.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: in.exe, 00000000.00000002.1407285255.000000000678A000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1403210914.0000000002B3C000.00000040.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1400109742.0000000006774000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1399932274.0000000006853000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1405189984.000000000495C000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report in.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\dkhkhfh\ddekcba

C:\Users\user\AppData\Roaming\ChbFbab

C:\temp\test\Autoit3.exe

C:\temp\test\script.a3x

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Windows Analysis Report
in.exe