Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
in.exe

Overview

General Information

Sample name:in.exe
Analysis ID:1609152
MD5:ea3874838d38c5e9ee97748af1d561cb
SHA1:18cd397a8f1a29585ac2c928fc7da346dae68e91
SHA256:1ffa8b06cb779360f8c42ccd4527ae3076d25d11b3a90976f04ea430173e9b85
Tags:darkgateexeuser-smica83
Infos:

Detection

DarkGate, MailPassView
Score:72
Range:0 - 100
Confidence:100%

Signatures

Yara detected DarkGate
Yara detected MailPassView
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May check if the current machine is a sandbox (GetTickCount - Sleep)
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the product ID of Windows
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • in.exe (PID: 7072 cmdline: "C:\Users\user\Desktop\in.exe" MD5: EA3874838D38C5E9EE97748AF1D561CB)
    • Autoit3.exe (PID: 7128 cmdline: "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x MD5: C56B5F0201A3B3DE53E561FE76912BFD)
      • cmd.exe (PID: 6400 cmdline: "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\eadedcf\eggdacf MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 3620 cmdline: wmic ComputerSystem get domain MD5: E2DE6500DE1148C7F6027AD50AC8B891)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DarkGateFirst documented in 2018, DarkGate is a commodity loader with features that include the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, keylogging, information-stealing capabilities, and privilege escalation. DarkGate makes use of legitimate AutoIt files and typically runs multiple AutoIt scripts. New versions of DarkGate have been advertised on a Russian language eCrime forum since May 2023.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1739491326.0000000004367000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000001.00000002.1739491326.0000000004367000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DarkGateYara detected DarkGateJoe Security
      00000001.00000002.1739863768.0000000004588000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_DarkGateYara detected DarkGateJoe Security
        00000001.00000002.1739863768.0000000004521000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          00000001.00000002.1739778926.0000000004420000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            Click to see the 3 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results
            Source: in.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
            Source: in.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_047F411C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_047F411C
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D14005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_00D14005
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D1C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_00D1C2FF
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D1494A GetFileAttributesW,FindFirstFileW,FindClose,1_2_00D1494A
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D1CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_00D1CD9F
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D1CD14 FindFirstFileW,FindClose,1_2_00D1CD14
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D1F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00D1F5D8
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D1F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00D1F735
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D1FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_00D1FA36
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D13CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_00D13CE2
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0165C5BD GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,1_2_0165C5BD
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0457A584 FindFirstFileW,lstrcmpW,lstrcmpW,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FindNextFileW,FindClose,1_2_0457A584
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_045289F4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,1_2_045289F4
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_04528AFC FindFirstFileA,GetLastError,1_2_04528AFC
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_045731F8 FindFirstFileW,FindNextFileW,FindClose,1_2_045731F8
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_04553D68 FindFirstFileW,FindNextFileW,FindClose,1_2_04553D68
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0453BD8C FindFirstFileA,FindNextFileA,FindClose,1_2_0453BD8C
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_04525974 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,1_2_04525974
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0457BA70 FindFirstFileW,FindNextFileW,FindClose,1_2_0457BA70
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D229BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,1_2_00D229BA
            Source: in.exeString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
            Source: in.exe, 00000000.00000002.1691448767.00000000048BC000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1689892587.0000000002A9C000.00000040.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1687361413.00000000067B3000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1687534807.00000000066D4000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
            Source: in.exe, 00000000.00000002.1691448767.00000000048BC000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1689892587.0000000002A9C000.00000040.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1687361413.00000000067B3000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1687534807.00000000066D4000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
            Source: in.exeString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
            Source: in.exe, 00000000.00000002.1691448767.00000000048BC000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1689892587.0000000002A9C000.00000040.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1687361413.00000000067B3000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1687534807.00000000066D4000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
            Source: in.exe, 00000000.00000002.1691448767.00000000048BC000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1689892587.0000000002A9C000.00000040.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1687361413.00000000067B3000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1692784094.00000000066EA000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1687534807.00000000066D4000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
            Source: Autoit3.exe, Autoit3.exe, 00000001.00000002.1739491326.0000000004367000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1739863768.0000000004521000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1739778926.0000000004420000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.io/ip
            Source: Autoit3.exe, 00000001.00000002.1739491326.0000000004367000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1739863768.0000000004521000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1739778926.0000000004420000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.io/ipU
            Source: in.exeString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
            Source: in.exeString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
            Source: in.exe, 00000000.00000002.1691448767.00000000048BC000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1689892587.0000000002A9C000.00000040.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1687361413.00000000067B3000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1687534807.00000000066D4000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
            Source: in.exe, 00000000.00000002.1691448767.00000000048BC000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1689892587.0000000002A9C000.00000040.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1687361413.00000000067B3000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1687534807.00000000066D4000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
            Source: in.exe, 00000000.00000002.1691448767.00000000048BC000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1689892587.0000000002A9C000.00000040.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1687361413.00000000067B3000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1687534807.00000000066D4000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
            Source: in.exeString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
            Source: in.exe, 00000000.00000002.1691448767.00000000048BC000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1689892587.0000000002A9C000.00000040.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1687361413.00000000067B3000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1687534807.00000000066D4000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
            Source: in.exeString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
            Source: in.exe, 00000000.00000002.1691448767.00000000048BC000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1689892587.0000000002A9C000.00000040.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1687361413.00000000067B3000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1687534807.00000000066D4000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
            Source: in.exeString found in binary or memory: http://www.autoitscript.com/autoit3/
            Source: in.exe, 00000000.00000002.1691448767.00000000048BC000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1689892587.0000000002A9C000.00000040.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1687361413.00000000067B3000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1687534807.00000000066D4000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1737971210.0000000000D79000.00000002.00000001.01000000.00000004.sdmp, Autoit3.exe.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: in.exeString found in binary or memory: http://www.innosetup.com/
            Source: in.exeString found in binary or memory: http://www.remobjects.com/ps
            Source: Autoit3.exe, 00000001.00000002.1739778926.0000000004420000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/u/0/#inbox
            Source: in.exe, 00000000.00000002.1691448767.00000000048BC000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1689892587.0000000002A9C000.00000040.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1687361413.00000000067B3000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1687534807.00000000066D4000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: https://www.autoitscript.com/autoit3/
            Source: Autoit3.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/0
            Source: in.exe, 00000000.00000002.1691448767.00000000048BC000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1689892587.0000000002A9C000.00000040.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1687361413.00000000067B3000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1692784094.00000000066EA000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1687534807.00000000066D4000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/06
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D24632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,1_2_00D24632
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D24830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,1_2_00D24830
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D24632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,1_2_00D24632
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0455B188 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,1_2_0455B188
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D10508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,1_2_00D10508
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D3D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,1_2_00D3D164
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_04553A74 CreateDesktopA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,WaitForSingleObject,1_2_04553A74
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_04574478 NtOpenProcess,1_2_04574478
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_04574420 NtQueryObject,NtQueryObject,1_2_04574420
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_045744C8 NtQuerySystemInformation,NtDuplicateObject,NtClose,NtClose,NtClose,NtClose,NtClose,NtClose,NtClose,1_2_045744C8
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0457476C Sleep,TerminateThread,NtClose,NtClose,1_2_0457476C
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_045743EC NtDuplicateObject,NtClose,1_2_045743EC
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_04552CF0 BeginPaint,SetBkMode,TextOutA,EndPaint,PostQuitMessage,NtdllDefWindowProc_A,1_2_04552CF0
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0454AF84 GetCurrentProcessId,OpenProcess,InitializeProcThreadAttributeList,GetProcessHeap,RtlAllocateHeap,InitializeProcThreadAttributeList,UpdateProcThreadAttribute,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,1_2_0454AF84
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0454B2A4 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,1_2_0454B2A4
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D142D5: CreateFileW,DeviceIoControl,CloseHandle,1_2_00D142D5
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D08F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,1_2_00D08F2E
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D15778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,1_2_00D15778
            Source: C:\Users\user\Desktop\in.exeCode function: 0_3_066906720_3_06690672
            Source: C:\Users\user\Desktop\in.exeCode function: 0_3_0663D7DD0_3_0663D7DD
            Source: C:\Users\user\Desktop\in.exeCode function: 0_3_066374FB0_3_066374FB
            Source: C:\Users\user\Desktop\in.exeCode function: 0_3_066485F70_3_066485F7
            Source: C:\Users\user\Desktop\in.exeCode function: 0_3_066312EC0_3_066312EC
            Source: C:\Users\user\Desktop\in.exeCode function: 0_3_066422960_3_06642296
            Source: C:\Users\user\Desktop\in.exeCode function: 0_3_0663BC0E0_3_0663BC0E
            Source: C:\Users\user\Desktop\in.exeCode function: 0_3_06646C1E0_3_06646C1E
            Source: C:\Users\user\Desktop\in.exeCode function: 0_3_06678A7C0_3_06678A7C
            Source: C:\Users\user\Desktop\in.exeCode function: 0_3_0666E9EA0_3_0666E9EA
            Source: C:\Users\user\Desktop\in.exeCode function: 0_3_0663C9890_3_0663C989
            Source: C:\Users\user\Desktop\in.exeCode function: 0_3_0661A64A0_3_0661A64A
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_0481A6540_2_0481A654
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_0482466A0_2_0482466A
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_048262390_2_04826239
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_0481A23C0_2_0481A23C
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_048163BC0_2_048163BC
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_048323790_2_04832379
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_0482ACF20_2_0482ACF2
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_04806D840_2_04806D84
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_0481AEBE0_2_0481AEBE
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_0481AA890_2_0481AA89
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_04880A940_2_04880A94
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_0482EB960_2_0482EB96
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_048614D80_2_048614D8
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_048574460_2_04857446
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CBB0201_2_00CBB020
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CB16631_2_00CB1663
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CB9C801_2_00CB9C80
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CD23F51_2_00CD23F5
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D384001_2_00D38400
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CE65021_2_00CE6502
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CBE6F01_2_00CBE6F0
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CE265E1_2_00CE265E
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CD282A1_2_00CD282A
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CE89BF1_2_00CE89BF
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CE6A741_2_00CE6A74
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D30A3A1_2_00D30A3A
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CC0BE01_2_00CC0BE0
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D0EDB21_2_00D0EDB2
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CDCD511_2_00CDCD51
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D30EB71_2_00D30EB7
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D18E441_2_00D18E44
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CE6FE61_2_00CE6FE6
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CD33B71_2_00CD33B7
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CB94E01_2_00CB94E0
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CCD45D1_2_00CCD45D
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CDF4091_2_00CDF409
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CBF6A01_2_00CBF6A0
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CD16B41_2_00CD16B4
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CCF6281_2_00CCF628
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CD78C31_2_00CD78C3
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CD1BA81_2_00CD1BA8
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CDDBA51_2_00CDDBA5
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CE9CE51_2_00CE9CE5
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CCDD281_2_00CCDD28
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CD1FC01_2_00CD1FC0
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CDBFD61_2_00CDBFD6
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0165CFE21_2_0165CFE2
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_045464381_2_04546438
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0454A79C1_2_0454A79C
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0455EC001_2_0455EC00
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0456B1B81_2_0456B1B8
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_04569BD01_2_04569BD0
            Source: Joe Sandbox ViewDropped File: C:\temp\test\Autoit3.exe 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
            Source: C:\temp\test\Autoit3.exeCode function: String function: 04524904 appears 92 times
            Source: C:\temp\test\Autoit3.exeCode function: String function: 00CC1A36 appears 34 times
            Source: C:\temp\test\Autoit3.exeCode function: String function: 04524668 appears 48 times
            Source: C:\temp\test\Autoit3.exeCode function: String function: 045521B8 appears 36 times
            Source: C:\temp\test\Autoit3.exeCode function: String function: 04526980 appears 111 times
            Source: C:\temp\test\Autoit3.exeCode function: String function: 00CD0D17 appears 70 times
            Source: C:\temp\test\Autoit3.exeCode function: String function: 04524394 appears 101 times
            Source: C:\temp\test\Autoit3.exeCode function: String function: 00CD8B30 appears 42 times
            Source: C:\Users\user\Desktop\in.exeCode function: String function: 06638768 appears 32 times
            Source: in.exeStatic PE information: invalid certificate
            Source: in.exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
            Source: in.exeBinary or memory string: OriginalFilename vs in.exe
            Source: in.exe, 00000000.00000002.1691448767.00000000048BC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs in.exe
            Source: in.exe, 00000000.00000002.1689892587.0000000002A9C000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs in.exe
            Source: in.exe, 00000000.00000003.1687361413.00000000067B3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs in.exe
            Source: in.exe, 00000000.00000003.1687534807.00000000066D4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs in.exe
            Source: in.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
            Source: classification engineClassification label: mal72.troj.spyw.evad.winEXE@8/4@0/0
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D1A6AD GetLastError,FormatMessageW,1_2_00D1A6AD
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D08DE9 AdjustTokenPrivileges,CloseHandle,1_2_00D08DE9
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D09399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,1_2_00D09399
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D1B976 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,1_2_00D1B976
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D14148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,1_2_00D14148
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D1C9DA CoInitialize,CoCreateInstance,CoUninitialize,1_2_00D1C9DA
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D1443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,1_2_00D1443D
            Source: C:\temp\test\Autoit3.exeFile created: C:\Users\user\AppData\Roaming\aaKHGGCJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6440:120:WilError_03
            Source: C:\Users\user\Desktop\in.exeFile created: c:\temp\testJump to behavior
            Source: C:\Users\user\Desktop\in.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\in.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\in.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\temp\test\Autoit3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\temp\test\Autoit3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\in.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: in.exeString found in binary or memory: -Helper process exited with failure code: 0x%x
            Source: in.exeString found in binary or memory: -HelperRegisterTypeLibrary: StatusCode invalidU
            Source: in.exeString found in binary or memory: /InstallOnThisVersion: Invalid MinVersion string
            Source: in.exeString found in binary or memory: /LoadInf=
            Source: C:\Users\user\Desktop\in.exeFile read: C:\Users\user\Desktop\in.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\in.exe "C:\Users\user\Desktop\in.exe"
            Source: C:\Users\user\Desktop\in.exeProcess created: C:\temp\test\Autoit3.exe "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
            Source: C:\temp\test\Autoit3.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\eadedcf\eggdacf
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domain
            Source: C:\Users\user\Desktop\in.exeProcess created: C:\temp\test\Autoit3.exe "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3xJump to behavior
            Source: C:\temp\test\Autoit3.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\eadedcf\eggdacfJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domainJump to behavior
            Source: C:\Users\user\Desktop\in.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\in.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\in.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\in.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\in.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\in.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\in.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\in.exeSection loaded: winsta.dllJump to behavior
            Source: C:\Users\user\Desktop\in.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: version.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: winmm.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: mpr.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: wininet.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: userenv.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: netutils.dllJump to behavior
            Source: C:\temp\test\Autoit3.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: in.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: in.exeStatic file information: File size 4157976 > 1048576
            Source: in.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x258200
            Source: in.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x191200
            Source: in.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D2C6D9 LoadLibraryA,GetProcAddress,1_2_00D2C6D9
            Source: in.exeStatic PE information: section name: .didata
            Source: C:\Users\user\Desktop\in.exeCode function: 0_3_066387AD push ecx; ret 0_3_066387C0
            Source: C:\Users\user\Desktop\in.exeCode function: 0_3_06615ED7 push esp; ret 0_3_06615ED8
            Source: C:\Users\user\Desktop\in.exeCode function: 0_3_06615ED7 push esp; ret 0_3_06615ED8
            Source: C:\Users\user\Desktop\in.exeCode function: 0_3_06615EAD push esp; ret 0_3_06615EAE
            Source: C:\Users\user\Desktop\in.exeCode function: 0_3_06615EAD push esp; ret 0_3_06615EAE
            Source: C:\Users\user\Desktop\in.exeCode function: 0_3_06615BA5 push edi; ret 0_3_06615BA6
            Source: C:\Users\user\Desktop\in.exeCode function: 0_3_06615BA5 push edi; ret 0_3_06615BA6
            Source: C:\Users\user\Desktop\in.exeCode function: 0_3_06615ED7 push esp; ret 0_3_06615ED8
            Source: C:\Users\user\Desktop\in.exeCode function: 0_3_06615ED7 push esp; ret 0_3_06615ED8
            Source: C:\Users\user\Desktop\in.exeCode function: 0_3_06615EAD push esp; ret 0_3_06615EAE
            Source: C:\Users\user\Desktop\in.exeCode function: 0_3_06615EAD push esp; ret 0_3_06615EAE
            Source: C:\Users\user\Desktop\in.exeCode function: 0_3_06615BA5 push edi; ret 0_3_06615BA6
            Source: C:\Users\user\Desktop\in.exeCode function: 0_3_06615BA5 push edi; ret 0_3_06615BA6
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_047F8540 push 047F8607h; ret 0_2_047F85FF
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_047F84D4 push 047F84FEh; ret 0_2_047F84F6
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_047F84D0 push 047F84FEh; ret 0_2_047F84F6
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_047F8500 push 047F8607h; ret 0_2_047F85FF
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_047F474C push 047F479Dh; ret 0_2_047F4795
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_047F8090 push 047F820Ch; ret 0_2_047F8204
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_047F8210 push 047F827Fh; ret 0_2_047F8277
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_047F820E push 047F827Fh; ret 0_2_047F8277
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_047F2C64 push eax; ret 0_2_047F2CA0
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_047F4D9C push 047F4DC8h; ret 0_2_047F4DC0
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_04826FD3 push edi; ret 0_2_04826FD5
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_04826F61 push edi; ret 0_2_04826F70
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_047F49CC push 047F49F8h; ret 0_2_047F49F0
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_047F4994 push 047F49C0h; ret 0_2_047F49B8
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_047F4AE4 push 047F4B10h; ret 0_2_047F4B08
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_047F4B1C push 047F4DC8h; ret 0_2_047F4DC0
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CBC6D5 push 00000046h; iretd 1_2_00CBC6D7
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CDE93F push edi; ret 1_2_00CDE941
            Source: C:\Users\user\Desktop\in.exeFile created: C:\temp\test\Autoit3.exeJump to dropped file
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D359B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,1_2_00D359B3
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CC5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,1_2_00CC5EDA
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CD33B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00CD33B7
            Source: C:\Users\user\Desktop\in.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\in.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\in.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\in.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\in.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\temp\test\Autoit3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Contains functionality to detect sleep reduction / modifications
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0457C8281_2_0457C828
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: Autoit3.exe, Autoit3.exe, 00000001.00000002.1739491326.0000000004367000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1739863768.0000000004521000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1739778926.0000000004420000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SUPERANTISPYWARE.EXE
            Source: C:\Users\user\Desktop\in.exeAPI coverage: 6.2 %
            Source: C:\temp\test\Autoit3.exeAPI coverage: 5.1 %
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0457C8281_2_0457C828
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Domain FROM Win32_ComputerSystem
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_047F411C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_047F411C
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D14005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_00D14005
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D1C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_00D1C2FF
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D1494A GetFileAttributesW,FindFirstFileW,FindClose,1_2_00D1494A
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D1CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_00D1CD9F
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D1CD14 FindFirstFileW,FindClose,1_2_00D1CD14
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D1F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00D1F5D8
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D1F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00D1F735
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D1FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_00D1FA36
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D13CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_00D13CE2
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0165C5BD GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,1_2_0165C5BD
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0457A584 FindFirstFileW,lstrcmpW,lstrcmpW,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FindNextFileW,FindClose,1_2_0457A584
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_045289F4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,1_2_045289F4
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_04528AFC FindFirstFileA,GetLastError,1_2_04528AFC
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_045731F8 FindFirstFileW,FindNextFileW,FindClose,1_2_045731F8
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_04553D68 FindFirstFileW,FindNextFileW,FindClose,1_2_04553D68
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0453BD8C FindFirstFileA,FindNextFileA,FindClose,1_2_0453BD8C
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_04525974 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,1_2_04525974
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0457BA70 FindFirstFileW,FindNextFileW,FindClose,1_2_0457BA70
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CC5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,1_2_00CC5D13
            Source: Autoit3.exe, 00000001.00000002.1739778926.0000000004420000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware
            Source: Autoit3.exe, Autoit3.exe, 00000001.00000002.1739491326.0000000004367000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1739863768.0000000004521000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1739778926.0000000004420000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: microsoft hyper-v video
            Source: Autoit3.exe, 00000001.00000002.1738539957.0000000001671000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
            Source: C:\temp\test\Autoit3.exeAPI call chain: ExitProcess graph end nodegraph_1-141186
            Source: C:\temp\test\Autoit3.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D245D5 BlockInput,1_2_00D245D5
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CC5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,1_2_00CC5240
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CE5CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_00CE5CAC
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D2C6D9 LoadLibraryA,GetProcAddress,1_2_00D2C6D9
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_016691BE mov eax, dword ptr fs:[00000030h]1_2_016691BE
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0454A79C mov eax, dword ptr fs:[00000030h]1_2_0454A79C
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0454A79C mov eax, dword ptr fs:[00000030h]1_2_0454A79C
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_045480A4 mov eax, dword ptr fs:[00000030h]1_2_045480A4
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D088CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,1_2_00D088CD
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CDA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00CDA385
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CDA354 SetUnhandledExceptionFilter,1_2_00CDA354

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Contains functionality to inject code into remote processes
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0454DCB8 CreateProcessA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,1_2_0454DCB8
            Contains functionality to inject threads in other processes
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0454DCB8 CreateProcessA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,1_2_0454DCB8
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D09369 LogonUserW,1_2_00D09369
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CC5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,1_2_00CC5240
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D11AC6 SendInput,keybd_event,1_2_00D11AC6
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D151E2 mouse_event,1_2_00D151E2
            Source: C:\Users\user\Desktop\in.exeProcess created: C:\temp\test\Autoit3.exe "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3xJump to behavior
            Source: C:\temp\test\Autoit3.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\eadedcf\eggdacfJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domainJump to behavior
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D088CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,1_2_00D088CD
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D14F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,1_2_00D14F1C
            Source: in.exe, 00000000.00000002.1689892587.0000000002A8E000.00000040.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1687534807.00000000066C6000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1687361413.00000000067A5000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: in.exe, Autoit3.exeBinary or memory string: Shell_TrayWnd
            Source: C:\Users\user\Desktop\in.exeCode function: 0_3_06638493 cpuid 0_3_06638493
            Source: C:\Users\user\Desktop\in.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_047F42F4
            Source: C:\Users\user\Desktop\in.exeCode function: GetLocaleInfoA,0_2_047F65F4
            Source: C:\Users\user\Desktop\in.exeCode function: GetLocaleInfoA,0_2_047F65A8
            Source: C:\Users\user\Desktop\in.exeCode function: GetLocaleInfoA,0_2_047F46D8
            Source: C:\Users\user\Desktop\in.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,0_2_047F43FF
            Source: C:\temp\test\Autoit3.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,1_2_0165C795
            Source: C:\temp\test\Autoit3.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,1_2_0165C89F
            Source: C:\temp\test\Autoit3.exeCode function: GetLocaleInfoA,GetACP,1_2_0165FBD1
            Source: C:\temp\test\Autoit3.exeCode function: GetLocaleInfoA,1_2_0165CBA5
            Source: C:\temp\test\Autoit3.exeCode function: GetLocaleInfoA,1_2_0165EA79
            Source: C:\temp\test\Autoit3.exeCode function: GetLocaleInfoA,1_2_0165EA2D
            Source: C:\temp\test\Autoit3.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,1_2_04525B4C
            Source: C:\temp\test\Autoit3.exeCode function: GetLocaleInfoA,1_2_04526470
            Source: C:\temp\test\Autoit3.exeCode function: GetLocaleInfoA,GetACP,1_2_0452CC88
            Source: C:\temp\test\Autoit3.exeCode function: GetLocaleInfoA,1_2_0452B66C
            Source: C:\temp\test\Autoit3.exeCode function: GetLocaleInfoA,1_2_0452B620
            Source: C:\temp\test\Autoit3.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,1_2_04525C56
            Source: C:\temp\test\Autoit3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\temp\test\Autoit3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
            Source: C:\temp\test\Autoit3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
            Source: C:\temp\test\Autoit3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CF0030 GetLocalTime,__swprintf,1_2_00CF0030
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CF0722 GetUserNameW,1_2_00CF0722
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00CE416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,1_2_00CE416A
            Source: C:\Users\user\Desktop\in.exeCode function: 0_2_047F47A1 GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,0_2_047F47A1
            Source: Autoit3.exe, Autoit3.exe, 00000001.00000002.1739491326.0000000004367000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1739863768.0000000004521000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1739778926.0000000004420000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: mcshield.exe
            Source: Autoit3.exe, Autoit3.exe, 00000001.00000002.1739491326.0000000004367000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1739863768.0000000004521000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1739778926.0000000004420000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: superantispyware.exe

            Stealing of Sensitive Information

            barindex
            Yara detected DarkGate
            Source: Yara matchFile source: 00000001.00000002.1739491326.0000000004367000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1739863768.0000000004588000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1739778926.0000000004420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Autoit3.exe PID: 7128, type: MEMORYSTR
            Yara detected MailPassView
            Source: Yara matchFile source: 00000001.00000002.1739491326.0000000004367000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1739863768.0000000004521000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1739778926.0000000004420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Autoit3.exe PID: 7128, type: MEMORYSTR
            Source: Autoit3.exeBinary or memory string: WIN_81
            Source: Autoit3.exeBinary or memory string: WIN_XP
            Source: Autoit3.exeBinary or memory string: WIN_XPe
            Source: Autoit3.exeBinary or memory string: WIN_VISTA
            Source: Autoit3.exeBinary or memory string: WIN_7
            Source: Autoit3.exeBinary or memory string: WIN_8
            Source: Autoit3.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

            Remote Access Functionality

            barindex
            Yara detected DarkGate
            Source: Yara matchFile source: 00000001.00000002.1739491326.0000000004367000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1739863768.0000000004588000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1739778926.0000000004420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Autoit3.exe PID: 7128, type: MEMORYSTR
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D2696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,1_2_00D2696E
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_00D26E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,1_2_00D26E32
            Source: C:\temp\test\Autoit3.exeCode function: 1_2_0453CCB4 bind,1_2_0453CCB4

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		21
            Input Capture            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            Native API            		1
            Create Account            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory1
            Account Discovery            		Remote Desktop Protocol1
            Screen Capture            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts2
            Command and Scripting Interpreter            		2
            Valid Accounts            		2
            Valid Accounts            		2
            Obfuscated Files or Information            		Security Account Manager1
            File and Directory Discovery            		SMB/Windows Admin Shares21
            Input Capture            		SteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
            Access Token Manipulation            		1
            DLL Side-Loading            		NTDS55
            System Information Discovery            		Distributed Component Object Model3
            Clipboard Data            		Protocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
            Process Injection            		1
            Masquerading            		LSA Secrets261
            Security Software Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Valid Accounts            		Cached Domain Credentials1
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem1
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1609152 Sample: in.exe Startdate: 07/02/2025 Architecture: WINDOWS Score: 72 22 Yara detected DarkGate 2->22 24 Yara detected MailPassView 2->24 26 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->26 8 in.exe 4 2->8         started        process3 file4 20 C:\temp\test\Autoit3.exe, PE32 8->20 dropped 11 Autoit3.exe 3 8->11         started        process5 signatures6 28 Contains functionality to inject threads in other processes 11->28 30 Contains functionality to inject code into remote processes 11->30 32 Contains functionality to detect sleep reduction / modifications 11->32 14 cmd.exe 2 11->14         started        process7 process8 16 WMIC.exe 1 14->16         started        18 conhost.exe 14->18         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            in.exe3%ReversingLabs
            in.exe4%VirustotalBrowse

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\temp\test\Autoit3.exe3%ReversingLabs
            C:\temp\test\Autoit3.exe4%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.innosetup.com/in.exefalse
              		high
              http://www.autoitscript.com/autoit3/Jin.exe, 00000000.00000002.1691448767.00000000048BC000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1689892587.0000000002A9C000.00000040.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1687361413.00000000067B3000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1687534807.00000000066D4000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1737971210.0000000000D79000.00000002.00000001.01000000.00000004.sdmp, Autoit3.exe.0.drfalse
                		high
                http://ipinfo.io/ipAutoit3.exe, Autoit3.exe, 00000001.00000002.1739491326.0000000004367000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1739863768.0000000004521000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1739778926.0000000004420000.00000004.00001000.00020000.00000000.sdmpfalse
                  		high
                  http://www.autoitscript.com/autoit3/in.exefalse
                    		high
                    http://www.remobjects.com/psin.exefalse
                      		high
                      https://mail.google.com/mail/u/0/#inboxAutoit3.exe, 00000001.00000002.1739778926.0000000004420000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        https://www.autoitscript.com/autoit3/in.exe, 00000000.00000002.1691448767.00000000048BC000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000002.1689892587.0000000002A9C000.00000040.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1687361413.00000000067B3000.00000004.00001000.00020000.00000000.sdmp, in.exe, 00000000.00000003.1687534807.00000000066D4000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.0.drfalse
                          		high
                          http://ipinfo.io/ipUAutoit3.exe, 00000001.00000002.1739491326.0000000004367000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1739863768.0000000004521000.00000040.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000001.00000002.1739778926.0000000004420000.00000004.00001000.00020000.00000000.sdmpfalse
                            		high

                            World Map of Contacted IPs

                            No contacted IP infos

                            General Information

                            Joe Sandbox version:42.0.0 Malachite
                            Analysis ID:1609152
                            Start date and time:2025-02-07 11:43:54 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 5m 28s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Run name:Run with higher sleep bypass
                            Number of analysed new started processes analysed:5
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:in.exe
                            Detection:MAL
                            Classification:mal72.troj.spyw.evad.winEXE@8/4@0/0
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 115
                            • Number of non-executed functions: 265
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                            • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                            • Stop behavior analysis, all processes terminated

                            Warnings

                            • Not all processes where analyzed, report is missing behavior information
                            • Report creation exceeded maximum time and may have missing disassembly code information.
                            • Report size exceeded maximum capacity and may have missing disassembly code.

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASNs

                            No context

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            C:\temp\test\Autoit3.exeKgpiJLs58m.exeGet hashmaliciousDarkGate, MailPassViewBrowse
                              KgpiJLs58m.exeGet hashmaliciousDarkGate, MailPassViewBrowse
                                Notion Setup 4.3.0 (4).exeGet hashmaliciousDarkGate, MailPassViewBrowse
                                  Notion Setup 4.3.0 (4).exeGet hashmaliciousDarkGate, MailPassViewBrowse
                                    JiH0aUfOU6.exeGet hashmaliciousUnknownBrowse
                                      JiH0aUfOU6.exeGet hashmaliciousUnknownBrowse
                                        2YLM6BQ9S3.exeGet hashmaliciousRedLineBrowse
                                          sEOELQpFOB.lnkGet hashmaliciousRedLineBrowse
                                            ref095vq842r70_classement_atout_france.pdf.lnk.d.lnkGet hashmaliciousRedLine, SectopRATBrowse

                                              Created / dropped Files

                                              C:\ProgramData\eadedcf\eggdacf

                                              Download File
                                              Process:C:\Windows\SysWOW64\cmd.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):42
                                              Entropy (8bit):2.9625983186791407
                                              Encrypted:false
                                              SSDEEP:3:Qh9eolFl+KYlFlFYn:Q7eY+32n
                                              MD5:5FA3029F9AE7A8D862595F35388FE268
                                              SHA1:83FE6C53935FFB25026DAD0F2D91509589410525
                                              SHA-256:089DD3174854B653E4543AF0317E1FE55A48FDADB75DCA73ABD942429DB24D10
                                              SHA-512:E6AB80B934811C5312B485B28C80645F6F9E8C786544385D650A62A7E876B91BC09060196CE82BC9493FD0A7F45338EB0C110EA98A35B125C13086E53233E0C8
                                              Malicious:false
                                              Reputation:low
                                              Preview:..D.o.m.a.i.n. . .....k.H.l.U.B. . . .....

                                              C:\Users\user\AppData\Roaming\aaKHGGC

                                              Download File
                                              Process:C:\temp\test\Autoit3.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):32
                                              Entropy (8bit):3.765319531114783
                                              Encrypted:false
                                              SSDEEP:3:4n7ANwAjHAG:uANuG
                                              MD5:BF2B41A9E579BCAE05BC82AD12F43D87
                                              SHA1:9EFAEB388E6749EF28182E49DCB059866CC1753A
                                              SHA-256:4C0964D8138841E2BB6A22A9BCE0B62587A76B2EEC3F71CA212E5876DBE0BFB1
                                              SHA-512:561C27BAA1C68AD0EFFC211270F60FD2D002377F2CD63F082CC6E8993378175CAD69D09A4571FD84F9B0F5ABEE714DB2F92468A9B66B5A5D8D7D1B0872116A3C
                                              Malicious:false
                                              Reputation:low
                                              Preview:KEEfhdDHKBaCHAFhehKKCeFbeccdHhab

                                              C:\temp\test\Autoit3.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\in.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):893608
                                              Entropy (8bit):6.620131693023677
                                              Encrypted:false
                                              SSDEEP:12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
                                              MD5:C56B5F0201A3B3DE53E561FE76912BFD
                                              SHA1:2A4062E10A5DE813F5688221DBEB3F3FF33EB417
                                              SHA-256:237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
                                              SHA-512:195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 3%
                                              • Antivirus: Virustotal, Detection: 4%, Browse
                                              Joe Sandbox View:
                                              • Filename: KgpiJLs58m.exe, Detection: malicious, Browse
                                              • Filename: KgpiJLs58m.exe, Detection: malicious, Browse
                                              • Filename: Notion Setup 4.3.0 (4).exe, Detection: malicious, Browse
                                              • Filename: Notion Setup 4.3.0 (4).exe, Detection: malicious, Browse
                                              • Filename: JiH0aUfOU6.exe, Detection: malicious, Browse
                                              • Filename: JiH0aUfOU6.exe, Detection: malicious, Browse
                                              • Filename: 2YLM6BQ9S3.exe, Detection: malicious, Browse
                                              • Filename: sEOELQpFOB.lnk, Detection: malicious, Browse
                                              • Filename: ref095vq842r70_classement_atout_france.pdf.lnk.d.lnk, Detection: malicious, Browse
                                              Reputation:moderate, very likely benign file
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                              C:\temp\test\script.a3x

                                              Download File
                                              Process:C:\Users\user\Desktop\in.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):596068
                                              Entropy (8bit):7.046002869734329
                                              Encrypted:false
                                              SSDEEP:12288:8ndundYUg4RXhXw2NyGOhxpLP0bIlixpA5pqSuYb:w2YTYGGOPpLP5Ex4DR
                                              MD5:00827B8CDDBA776D6F1EFE6CCBEE5BA8
                                              SHA1:F95C000F3B75114A3C718D4F25A746B3D447320E
                                              SHA-256:28DE3DE19D2710510CFF515E3FED683105BA1DA0F644961F0A499B8F610E22C8
                                              SHA-512:88FD8750E47FBCC847BF61A3932435FF35520EDE61E211AF6DC070D218CEF7DAC552E0979DA84CDD4561C0E182EA3F62AD8D806040FD7D0E9C1B45F88CF3D36F
                                              Malicious:false
                                              Preview:C:j...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................C:j.....................................

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Entropy (8bit):7.190777590447857
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 98.88%
                                              • Inno Setup installer (109748/4) 1.08%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:in.exe
                                              File size:4'157'976 bytes
                                              MD5:ea3874838d38c5e9ee97748af1d561cb
                                              SHA1:18cd397a8f1a29585ac2c928fc7da346dae68e91
                                              SHA256:1ffa8b06cb779360f8c42ccd4527ae3076d25d11b3a90976f04ea430173e9b85
                                              SHA512:5f438ab1aeb39dbbb61a825cc6dab21f7420d56c593c80dd4919e9f19bb82aed6856db5b2997bfc0e91249935d1a347d9b0a8a7563ab27cdfeec00d8c69829c1
                                              SSDEEP:49152:aR/KpmZubwf2S8W2ILeWl+C1p9jWy5Snd0eigX+lluBLflz0Lk/rfSxnN3Tz64IB:8/jeYLP1Sy5E0Yplz0Lk/INXUraBA/h
                                              TLSH:4E169E1ABB58B03EE0BB173385378A505537FE617922CC9A67F0398C4F795D03B6A612
                                              File Content Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                              File Icon

                                              Icon Hash:e88c97b3a2938e61

                                              Static PE Info

                                              General

                                              Entrypoint:0x65c4a4
                                              Entrypoint Section:.itext
                                              Digitally signed:true
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x5EC61809 [Thu May 21 05:56:25 2020 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:6
                                              OS Version Minor:0
                                              File Version Major:6
                                              File Version Minor:0
                                              Subsystem Version Major:6
                                              Subsystem Version Minor:0
                                              Import Hash:16c8c7a62c852018ed02e453e144c998

                                              Authenticode Signature

                                              Signature Valid:false
                                              Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                                              Signature Validation Error:A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
                                              Error Number:-2146762495
                                              Not Before, Not After
                                              • 24/12/2024 14:35:01 25/12/2025 14:35:01
                                              Subject Chain
                                              • CN=Technic AS Plus Inc., O=Technic AS Plus Inc., STREET=5240 Loyola Saint-Leonard, L=Montreal, S=Quebec, C=CA, OID.1.3.6.1.4.1.311.60.2.1.3=CA, SERIALNUMBER=920816-0, OID.2.5.4.15=Private Organization
                                              Version:3
                                              Thumbprint MD5:E27B570CC7EDFA7EC19B06773E1247A6
                                              Thumbprint SHA-1:F8E657AB86105C880CACACC939661F85E24769AF
                                              Thumbprint SHA-256:A516C53272112BC732B6880AAAEBD59370D0C1CF5D646F1D921FAAFCF86366DB
                                              Serial:4BC418BDB4B1330B041BE689

                                              Entrypoint Preview

                                              Instruction
                                              push ebp
                                              mov ebp, esp
                                              add esp, FFFFFFF0h
                                              push ebx
                                              push esi
                                              push edi
                                              mov eax, 00651408h
                                              call 00007F8A782BA962h
                                              mov eax, dword ptr [00662788h]
                                              mov eax, dword ptr [eax]
                                              mov eax, dword ptr [eax+00000188h]
                                              push FFFFFFECh
                                              push eax
                                              call 00007F8A782BE9C1h
                                              mov edx, dword ptr [00662788h]
                                              mov edx, dword ptr [edx]
                                              mov edx, dword ptr [edx+00000188h]
                                              and eax, FFFFFF7Fh
                                              push eax
                                              push FFFFFFECh
                                              push edx
                                              call 00007F8A782BE9ADh
                                              xor eax, eax
                                              push ebp
                                              push 0065C528h
                                              push dword ptr fs:[eax]
                                              mov dword ptr fs:[eax], esp
                                              push 00000001h
                                              call 00007F8A782BDD18h
                                              call 00007F8A784FCDF3h
                                              mov eax, dword ptr [00651030h]
                                              push eax
                                              push 006510C8h
                                              mov eax, dword ptr [00662788h]
                                              mov eax, dword ptr [eax]
                                              call 00007F8A7844EB98h
                                              call 00007F8A784FCE47h
                                              xor eax, eax
                                              pop edx
                                              pop ecx
                                              pop ecx
                                              mov dword ptr fs:[eax], edx
                                              jmp 00007F8A7850819Bh
                                              jmp 00007F8A782B36D8h
                                              call 00007F8A784FCB8Fh
                                              mov eax, 00000001h
                                              call 00007F8A782B41C1h
                                              call 00007F8A782B3B1Ch
                                              mov eax, dword ptr [00662788h]
                                              mov eax, dword ptr [eax]
                                              mov edx, 0065C6BCh
                                              call 00007F8A7844E66Fh
                                              push 00000005h
                                              mov eax, dword ptr [00662788h]
                                              mov eax, dword ptr [eax]
                                              mov eax, dword ptr [eax+00000188h]
                                              push eax
                                              call 00007F8A782BE6D6h
                                              mov eax, dword ptr [00662788h]

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x2700000x97.edata
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x26b0000x35d8.idata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x2730000x1911c8.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x3f60000x1218.rsrc
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x2720000x18.rdata
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x26b94c0x848.idata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x26f0000x9ee.didata
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x2581fc0x258200d522cd1a0afeaa9ef5024789e19cc2efunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .itext0x25a0000x26c80x2800367bc90dd8be7c6a1056ad2a82281084False0.503125data6.119631643767066IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .data0x25d0000x5a640x5c00c20c3606951695cd5626a53022531398False0.40281080163043476data5.055173307610014IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .bss0x2630000x780c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .idata0x26b0000x35d80x36006cbfeeac8d17ca3b356e9c16e6f19fc1False0.33622685185185186data5.280395234482991IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .didata0x26f0000x9ee0xa002726dff14c86e88d2aaa4303cf2dc681False0.36328125data4.360393246158077IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .edata0x2700000x970x2008c377a4128fcc7899b263e28899a337bFalse0.251953125data1.7456444612923019IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .tls0x2710000x440x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rdata0x2720000x5d0x200549e425037fe57817fc75df38c52f354False0.189453125data1.4022224415966043IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .rsrc0x2730000x1911c80x191200472d071e032c00d4d0da44d6fa14133dFalse0.75464635595201data7.815757913596491IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              PHPKTEMTUM5HYZG62F48E7CWQ9UV0x273dd00x177408data0.7441139221191406
                                              RT_CURSOR0x3eb1d80x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                              RT_CURSOR0x3eb30c0x134dataEnglishUnited States0.4642857142857143
                                              RT_CURSOR0x3eb4400x134dataEnglishUnited States0.4805194805194805
                                              RT_CURSOR0x3eb5740x134dataEnglishUnited States0.38311688311688313
                                              RT_CURSOR0x3eb6a80x134dataEnglishUnited States0.36038961038961037
                                              RT_CURSOR0x3eb7dc0x134dataEnglishUnited States0.4090909090909091
                                              RT_CURSOR0x3eb9100x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                              RT_BITMAP0x3eba440xd28Device independent bitmap graphic, 48 x 48 x 8, image size 0, resolution 3780 x 3780 px/m, 256 important colors0.16508313539192399
                                              RT_BITMAP0x3ec76c0x32aDevice independent bitmap graphic, 16 x 16 x 24, image size 770, resolution 3779 x 3779 px/m0.2074074074074074
                                              RT_ICON0x3eca980x4902PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9955056179775281
                                              RT_ICON0x3f139c0x173dPNG image data, 128 x 128, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9887376029584805
                                              RT_ICON0x3f2adc0xf46PNG image data, 96 x 96, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0028132992327365
                                              RT_ICON0x3f3a240xa52PNG image data, 72 x 72, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0041635124905375
                                              RT_ICON0x3f44780x926PNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0046968403074295
                                              RT_ICON0x3f4da00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600, resolution 3780 x 3780 px/mEnglishUnited States0.17645228215767636
                                              RT_ICON0x3f73480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224, resolution 3780 x 3780 px/mEnglishUnited States0.24812382739212008
                                              RT_ICON0x3f83f00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400, resolution 3780 x 3780 px/mEnglishUnited States0.3073770491803279
                                              RT_ICON0x3f8d780x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088, resolution 3780 x 3780 px/mEnglishUnited States0.42819148936170215
                                              RT_STRING0x3f91e00x6cdata0.6018518518518519
                                              RT_STRING0x3f924c0x250data0.46790540540540543
                                              RT_STRING0x3f949c0x204data0.46705426356589147
                                              RT_STRING0x3f96a00x3ecdata0.3894422310756972
                                              RT_STRING0x3f9a8c0x410data0.41634615384615387
                                              RT_STRING0x3f9e9c0x160data0.59375
                                              RT_STRING0x3f9ffc0xd0data0.6778846153846154
                                              RT_STRING0x3fa0cc0x2f4data0.43253968253968256
                                              RT_STRING0x3fa3c00x3fcdata0.37941176470588234
                                              RT_STRING0x3fa7bc0x49cdata0.35338983050847456
                                              RT_STRING0x3fac580x29cdata0.31736526946107785
                                              RT_STRING0x3faef40x3f0data0.43154761904761907
                                              RT_STRING0x3fb2e40x438data0.3731481481481482
                                              RT_STRING0x3fb71c0x3acdata0.3861702127659574
                                              RT_STRING0x3fbac80x404data0.3764591439688716
                                              RT_STRING0x3fbecc0x2acdata0.38742690058479534
                                              RT_STRING0x3fc1780xb8data0.657608695652174
                                              RT_STRING0x3fc2300xd0data0.6201923076923077
                                              RT_STRING0x3fc3000x354data0.4284037558685446
                                              RT_STRING0x3fc6540x3acdata0.3425531914893617
                                              RT_STRING0x3fca000x354data0.3826291079812207
                                              RT_STRING0x3fcd540x2c0data0.41051136363636365
                                              RT_RCDATA0x3fd0140x10data1.5
                                              RT_RCDATA0x3fd0240x1800PE32+ executable (console) x86-64, for MS WindowsEnglishUnited States0.3924153645833333
                                              RT_RCDATA0x3fe8240xac4data0.5446298984034833
                                              RT_RCDATA0x3ff2e80x147Delphi compiled form 'TMainForm'0.746177370030581
                                              RT_RCDATA0x3ff4300x480Delphi compiled form 'TNewDiskForm'0.5034722222222222
                                              RT_RCDATA0x3ff8b00x400Delphi compiled form 'TSelectFolderForm'0.5087890625
                                              RT_RCDATA0x3ffcb00x4b5Delphi compiled form 'TSelectLanguageForm'0.5004149377593361
                                              RT_RCDATA0x4001680x7ffDelphi compiled form 'TUninstallProgressForm'0.4054714215925745
                                              RT_RCDATA0x4009680x55cDelphi compiled form 'TUninstSharedFileForm'0.41690962099125367
                                              RT_RCDATA0x400ec40x2ac9Delphi compiled form 'TWizardForm'0.19811923673879303
                                              RT_GROUP_CURSOR0x4039900x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                              RT_GROUP_CURSOR0x4039a40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                              RT_GROUP_CURSOR0x4039b80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                              RT_GROUP_CURSOR0x4039cc0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                              RT_GROUP_CURSOR0x4039e00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                              RT_GROUP_CURSOR0x4039f40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                              RT_GROUP_CURSOR0x403a080x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                              RT_GROUP_ICON0x403a1c0x84dataEnglishUnited States0.7196969696969697
                                              RT_MANIFEST0x403aa00x726XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4005464480874317

                                              Imports

                                              DLLImport
                                              mpr.dllWNetEnumResourceW, WNetGetUniversalNameW, WNetGetConnectionW, WNetCloseEnum, WNetOpenEnumW
                                              comdlg32.dllGetSaveFileNameW, GetOpenFileNameW
                                              comctl32.dllFlatSB_SetScrollInfo, InitCommonControls, ImageList_DragMove, ImageList_Destroy, _TrackMouseEvent, ImageList_DragShowNolock, ImageList_Add, FlatSB_SetScrollProp, ImageList_GetDragImage, ImageList_Create, ImageList_EndDrag, ImageList_DrawEx, ImageList_SetImageCount, FlatSB_GetScrollPos, FlatSB_SetScrollPos, InitializeFlatSB, FlatSB_GetScrollInfo, ImageList_Write, ImageList_SetBkColor, ImageList_GetBkColor, ImageList_BeginDrag, ImageList_GetIcon, ImageList_GetImageCount, ImageList_DragEnter, ImageList_GetIconSize, ImageList_SetIconSize, ImageList_Read, ImageList_DragLeave, ImageList_Draw, ImageList_Remove
                                              shell32.dllSHBrowseForFolderW, ExtractIconW, SHGetMalloc, SHGetFileInfoW, SHChangeNotify, Shell_NotifyIconW, ShellExecuteW, SHGetPathFromIDListW, ShellExecuteExW
                                              user32.dllCopyImage, CreateWindowExW, GetMenuItemInfoW, SetMenuItemInfoW, DefFrameProcW, GetDCEx, GetMessageW, PeekMessageW, MonitorFromWindow, GetDlgCtrlID, ScrollWindowEx, SetTimer, WindowFromPoint, BeginPaint, RegisterClipboardFormatW, FrameRect, MapVirtualKeyW, OffsetRect, IsWindowUnicode, RegisterWindowMessageW, FillRect, GetMenuStringW, DispatchMessageW, SendMessageA, DefMDIChildProcW, EnumWindows, GetClassInfoW, GetSystemMenu, WaitForInputIdle, ShowOwnedPopups, GetScrollRange, GetScrollPos, SetScrollPos, GetActiveWindow, SetActiveWindow, DrawEdge, InflateRect, GetKeyboardLayoutList, OemToCharBuffA, LoadBitmapW, DrawFocusRect, EnumChildWindows, GetScrollBarInfo, SendNotifyMessageW, ReleaseCapture, UnhookWindowsHookEx, LoadCursorW, GetCapture, SetCapture, CreatePopupMenu, ScrollWindow, ShowCaret, GetMenuItemID, GetLastActivePopup, CharLowerBuffW, GetSystemMetrics, SetWindowLongW, PostMessageW, DrawMenuBar, SetParent, IsZoomed, CharUpperBuffW, GetClientRect, IsChild, ClientToScreen, SetWindowPlacement, IsIconic, CallNextHookEx, GetMonitorInfoW, ShowWindow, CheckMenuItem, CharUpperW, DefWindowProcW, GetForegroundWindow, SetForegroundWindow, GetWindowTextW, EnableWindow, DestroyWindow, IsDialogMessageW, EndMenu, RegisterClassW, CharNextW, GetWindowThreadProcessId, RedrawWindow, GetDC, GetFocus, SetFocus, EndPaint, ExitWindowsEx, ReleaseDC, MsgWaitForMultipleObjectsEx, LoadKeyboardLayoutW, GetClassLongW, ActivateKeyboardLayout, GetParent, CharToOemBuffA, DrawTextW, SetScrollRange, InsertMenuItemW, PeekMessageA, GetPropW, SetClassLongW, MessageBoxW, MessageBeep, SetPropW, SetRectEmpty, UpdateWindow, RemovePropW, GetSubMenu, MsgWaitForMultipleObjects, DestroyMenu, DestroyIcon, SetWindowsHookExW, IsWindowVisible, DispatchMessageA, UnregisterClassW, GetTopWindow, SendMessageW, AdjustWindowRectEx, DrawIcon, IsWindow, EnumThreadWindows, InvalidateRect, GetKeyboardState, DrawFrameControl, ScreenToClient, SendMessageTimeoutW, BringWindowToTop, SetCursor, CreateIcon, CreateMenu, LoadStringW, CharLowerW, SetWindowPos, SetWindowRgn, GetMenuItemCount, RemoveMenu, AppendMenuW, GetSysColorBrush, GetKeyboardLayoutNameW, GetWindowDC, TranslateMessage, DrawTextExW, MapWindowPoints, EnumDisplayMonitors, CallWindowProcW, DestroyCursor, ReplyMessage, GetScrollInfo, SetWindowTextW, GetMessageExtraInfo, EnableScrollBar, GetSysColor, TrackPopupMenu, DrawIconEx, PostQuitMessage, GetClassNameW, ShowScrollBar, EnableMenuItem, GetIconInfo, GetMessagePos, SetScrollInfo, GetKeyNameTextW, GetDesktopWindow, GetCursorPos, SetCursorPos, HideCaret, GetMenu, GetMenuState, SetMenu, SetRect, GetKeyState, FindWindowExW, MonitorFromPoint, SystemParametersInfoW, LoadIconW, GetCursor, GetWindow, GetWindowLongW, GetWindowRect, InsertMenuW, KillTimer, WaitMessage, IsWindowEnabled, IsDialogMessageA, TranslateMDISysAccel, GetWindowPlacement, FindWindowW, DeleteMenu, GetKeyboardLayout
                                              version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                                              oleaut32.dllSafeArrayPutElement, LoadTypeLib, GetErrorInfo, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, SafeArrayCreate, SafeArrayGetElement, GetActiveObject, SysAllocStringLen, SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, VariantCopy, RegisterTypeLib, VariantChangeType, VariantCopyInd
                                              advapi32.dllRegSetValueExW, RegEnumKeyExW, AdjustTokenPrivileges, OpenThreadToken, GetUserNameW, RegDeleteKeyW, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegQueryInfoKeyW, AllocateAndInitializeSid, FreeSid, EqualSid, RegDeleteValueW, RegFlushKey, RegQueryValueExW, RegEnumValueW, GetTokenInformation, InitializeSecurityDescriptor, RegCloseKey, RegCreateKeyExW, SetSecurityDescriptorDacl
                                              netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                                              kernel32.dllSetFileAttributesW, SetFileTime, GetACP, GetExitCodeProcess, IsBadWritePtr, CloseHandle, LocalFree, GetCurrentProcessId, SizeofResource, VirtualProtect, QueryPerformanceFrequency, FindNextFileW, GetFullPathNameW, VirtualFree, ExitProcess, HeapAlloc, WriteProfileStringW, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, FileTimeToLocalFileTime, GetModuleHandleW, FreeLibrary, HeapDestroy, CompareFileTime, ReadFile, CreateProcessW, TransactNamedPipe, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, OpenMutexW, CreateThread, CompareStringW, CopyFileW, CreateMutexW, LoadLibraryA, ResetEvent, MulDiv, FreeResource, GetDriveTypeW, GetVersion, RaiseException, MoveFileW, GlobalAddAtomW, GetSystemTimeAsFileTime, FormatMessageW, OpenProcess, SwitchToThread, GetExitCodeThread, GetCurrentThread, GetLogicalDrives, LocalFileTimeToFileTime, SetNamedPipeHandleState, LoadLibraryExW, TerminateProcess, LockResource, FileTimeToSystemTime, GetShortPathNameW, GetCurrentThreadId, UnhandledExceptionFilter, MoveFileExW, VirtualQuery, GlobalFindAtomW, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, ReleaseMutex, FlushFileBuffers, LoadResource, SuspendThread, GetTickCount, WritePrivateProfileStringW, GetFileSize, GetStartupInfoW, GlobalDeleteAtom, GetFileAttributesW, GetCurrentDirectoryW, SetCurrentDirectoryW, InitializeCriticalSection, GetThreadPriority, GetCurrentProcess, SetThreadPriority, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, DeviceIoControl, GetDiskFreeSpaceW, VerSetConditionMask, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, lstrcmpW, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetEnvironmentVariableW, GetLocalTime, WaitForSingleObject, WriteFile, CreateNamedPipeW, ExitThread, DeleteCriticalSection, GetDateFormatW, TlsGetValue, SetErrorMode, GetComputerNameW, IsValidLocale, TlsSetValue, CreateDirectoryW, GetOverlappedResult, GetSystemDefaultUILanguage, EnumCalendarInfoW, GetProfileStringW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, IsDBCSLeadByte, CreateEventW, GetPrivateProfileStringW, WaitForMultipleObjectsEx, GetThreadLocale, SetThreadLocale
                                              ole32.dllStgCreateDocfileOnILockBytes, CoCreateInstance, CLSIDFromString, CoUninitialize, IsEqualGUID, OleInitialize, CoFreeUnusedLibraries, CreateILockBytesOnHGlobal, CLSIDFromProgID, OleUninitialize, CoDisconnectObject, CoInitialize, CoTaskMemFree, CoTaskMemAlloc, StringFromCLSID
                                              gdi32.dllArc, Pie, SetBkMode, SelectPalette, CreateCompatibleBitmap, ExcludeClipRect, RectVisible, SetWindowOrgEx, MaskBlt, AngleArc, Chord, SetTextColor, StretchBlt, SetDIBits, SetViewportOrgEx, CreateRectRgn, RealizePalette, SetDIBColorTable, GetDIBColorTable, RoundRect, RestoreDC, SetRectRgn, GetTextMetricsW, RemoveFontResourceW, GetWindowOrgEx, CreatePalette, CreateBrushIndirect, PatBlt, LineDDA, PolyBezierTo, GetStockObject, CreateSolidBrush, Polygon, Rectangle, MoveToEx, DeleteDC, SaveDC, BitBlt, Ellipse, FrameRgn, GetDeviceCaps, GetBitmapBits, GetTextExtentPoint32W, GetClipBox, Polyline, IntersectClipRect, GetSystemPaletteEntries, CreateBitmap, AddFontResourceW, CreateDIBitmap, GetStretchBltMode, CreateDIBSection, CreatePenIndirect, SetStretchBltMode, GetDIBits, CreateFontIndirectW, PolyBezier, LineTo, GetRgnBox, EnumFontsW, CreateHalftonePalette, DeleteObject, SelectObject, ExtFloodFill, UnrealizeObject, SetBkColor, CreateCompatibleDC, GetObjectW, GetBrushOrgEx, GetCurrentPositionEx, SetROP2, GetTextExtentPointW, ExtTextOutW, SetBrushOrgEx, GetPixel, ArcTo, GdiFlush, SetPixel, EnumFontFamiliesExW, GetPaletteEntries

                                              Exports

                                              NameOrdinalAddress
                                              TMethodImplementationIntercept30x4aefc0
                                              __dbk_fcall_wrapper20x40eb68
                                              dbkFCallWrapperAddr10x66663c

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishUnited States

                                              Network Behavior

                                              No network behavior found

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:05:44:46
                                              Start date:07/02/2025
                                              Path:C:\Users\user\Desktop\in.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\in.exe"
                                              Imagebase:0x400000
                                              File size:4'157'976 bytes
                                              MD5 hash:EA3874838D38C5E9EE97748AF1D561CB
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:Borland Delphi
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:1
                                              Start time:05:44:46
                                              Start date:07/02/2025
                                              Path:C:\temp\test\Autoit3.exe
                                              Wow64 process (32bit):true
                                              Commandline:"c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
                                              Imagebase:0xcb0000
                                              File size:893'608 bytes
                                              MD5 hash:C56B5F0201A3B3DE53E561FE76912BFD
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:Borland Delphi
                                              Yara matches:
                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.1739491326.0000000004367000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000001.00000002.1739491326.0000000004367000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000001.00000002.1739863768.0000000004588000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.1739863768.0000000004521000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.1739778926.0000000004420000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000001.00000002.1739778926.0000000004420000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              Antivirus matches:
                                              • Detection: 3%, ReversingLabs
                                              • Detection: 4%, Virustotal, Browse
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:05:44:49
                                              Start date:07/02/2025
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:"c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\eadedcf\eggdacf
                                              Imagebase:0x240000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:05:44:49
                                              Start date:07/02/2025
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:05:44:49
                                              Start date:07/02/2025
                                              Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                              Wow64 process (32bit):true
                                              Commandline:wmic ComputerSystem get domain
                                              Imagebase:0xe0000
                                              File size:427'008 bytes
                                              MD5 hash:E2DE6500DE1148C7F6027AD50AC8B891
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              Disassembly

                                              Reset < >