Edit tour

Windows Analysis Report
The Earth.exe

Overview

General Information

Sample name:	The Earth.exe
Analysis ID:	1640030
MD5:	14a768ab6e61a8a0ee8daca2b9bd9dd5
SHA1:	353d126cbb0e58c5b819437430aa6ed39a8b66cd
SHA256:	e38326b7a229abce1d75a3256137dfb8f93327593b458436aa7b794329542115
Tags:	exeskidtrojanuser-2huMarisa
Infos:

Detection

Score:	56
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to register a low level keyboard hook

Sample or dropped binary is a compiled AutoHotkey binary

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Spawns drivers

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Classification

Process Tree

System is w10x64

The Earth.exe (PID: 7060 cmdline: "C:\Users\user\Desktop\The Earth.exe" MD5: 14A768AB6E61A8A0EE8DACA2B9BD9DD5)

LogonUI.exe (PID: 6476 cmdline: "LogonUI.exe" /flags:0x4 /state0:0xa3800855 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)

cdd.dll (PID: 4 cmdline: MD5: 9B684213A399B4E286982BDAD6CF3D07)

fontdrvhost.exe (PID: 4832 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)

LogonUI.exe (PID: 6228 cmdline: "LogonUI.exe" /flags:0x2 /state0:0xa3804855 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)

cdd.dll (PID: 4 cmdline: MD5: 9B684213A399B4E286982BDAD6CF3D07)

fontdrvhost.exe (PID: 3596 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)

LogonUI.exe (PID: 6680 cmdline: "LogonUI.exe" /flags:0x2 /state0:0xa3815855 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)

cdd.dll (PID: 4 cmdline: MD5: 9B684213A399B4E286982BDAD6CF3D07)

LogonUI.exe (PID: 5376 cmdline: "LogonUI.exe" /flags:0x2 /state0:0xa3822055 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)

fontdrvhost.exe (PID: 3708 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)

cdd.dll (PID: 4 cmdline: MD5: 9B684213A399B4E286982BDAD6CF3D07)

LogonUI.exe (PID: 3856 cmdline: "LogonUI.exe" /flags:0x2 /state0:0xa382a055 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)

fontdrvhost.exe (PID: 6200 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)

cleanup

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\cdd.dll, NewProcessName: C:\Windows\System32\cdd.dll, OriginalFileName: C:\Windows\System32\cdd.dll, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: cdd.dll

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: The Earth.exe

Virustotal: Detection: 12%

Perma Link

Source: The Earth.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00456180 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00456180
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_004774C0 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,	0_2_004774C0
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_004440A0 FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	0_2_004440A0
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_0042E210 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,__wcstoi64,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,	0_2_0042E210
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00444380 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,	0_2_00444380
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00477430 FindFirstFileW,FindClose,GetFileAttributesW,	0_2_00477430
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_004446C0 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,	0_2_004446C0
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00455C10 GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,_wcsrchr,_wcsrchr,_wcsncpy,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,FindNextFileW,FindClose,	0_2_00455C10
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00472DE0 FindFirstFileW,FindClose,GetFileAttributesW,CreateFileW,WriteFile,WriteFile,WriteFile,CloseHandle,	0_2_00472DE0
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00454FA0 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,CoCreateInstance,CoUninitialize,	0_2_00454FA0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\The Earth.exe

Code function: 0_2_00454910 __wcstoi64,InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetReadFile,InternetReadFile,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,InternetReadFile,InternetReadFileExA,InternetReadFileExA,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,DeleteFileW,

0_2_00454910

Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: otelrules.svc.static.microsoft
Source: global traffic	DNS traffic detected: DNS query: c.pki.goog

Source: The Earth.exe	String found in binary or memory: https://autohotkey.com
Source: The Earth.exe	String found in binary or memory: https://autohotkey.comCould

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\The Earth.exe

Code function: 0_2_004093C0 SetWindowsHookExW 0000000D,Function_00004C10,00400000,00000000

0_2_004093C0

Source: C:\Users\user\Desktop\The Earth.exe

Code function: 0_2_004049B0 GetTickCount,GetTickCount,OpenClipboard,OpenClipboard,GetTickCount,OpenClipboard,

0_2_004049B0

Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00479570 EmptyClipboard,GlobalUnlock,CloseClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,GlobalFree,GlobalUnlock,CloseClipboard,		0_2_00479570
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_004046E0 EmptyClipboard,GlobalUnlock,CloseClipboard,GlobalUnlock,GlobalUnlock,GlobalFree,GlobalUnlock,CloseClipboard,SetClipboardData,GlobalUnlock,CloseClipboard,		0_2_004046E0

Source: C:\Users\user\Desktop\The Earth.exe

Code function: 0_2_004048B0 GetClipboardFormatNameW,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,GetClipboardData,

0_2_004048B0

Source: C:\Users\user\Desktop\The Earth.exe

Code function: 0_2_0043A7A0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,SelectObject,DeleteDC,DeleteObject,_free,GetPixel,ReleaseDC,

0_2_0043A7A0

Source: C:\Users\user\Desktop\The Earth.exe

Code function: 0_2_00411090 GetCurrentThreadId,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,BlockInput,GetForegroundWindow,GetAsyncKeyState,keybd_event,keybd_event,GetAsyncKeyState,keybd_event,GetAsyncKeyState,BlockInput,

0_2_00411090

Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_004013F4 GlobalUnlock,CloseClipboard,SetTimer,GetTickCount,GetTickCount,GetMessageW,GetTickCount,GetFocus,TranslateAcceleratorW,GetKeyState,GetWindowLongW,IsWindowEnabled,GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,IsDialogMessageW,ShowWindow,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,KillTimer,DragQueryFileW,DragFinish,GetTickCount,DragFinish,DragFinish,_wcsncpy,_wcsncpy,GetTickCount,_wcsncpy,GetTickCount,IsDialogMessageW,SetCurrentDirectoryW,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,	0_2_004013F4
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_0040F520 __wcsnicmp,__wcsnicmp,GetWindowThreadProcessId,AttachThreadInput,GetKeyboardLayout,GetTickCount,GetCurrentThreadId,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,GetTickCount,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,__wcsnicmp,_wcschr,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsicoll,PostMessageW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__wcsnicmp,__wcsnicmp,__fassign,PostMessageW,PostMessageW,PostMessageW,__itow,PostMessageW,_free,GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetForegroundWindow,GetWindowThreadProcessId,	0_2_0040F520
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_0040F956 GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,	0_2_0040F956
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00412DD0 GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetKeyState,	0_2_00412DD0

System Summary

Sample or dropped binary is a compiled AutoHotkey binary

Source: C:\Users\user\Desktop\The Earth.exe

Window found: window name: AutoHotkey

Jump to behavior

Source: C:\Users\user\Desktop\The Earth.exe

Code function: 0_2_00440870: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00440870

Source: C:\Users\user\Desktop\The Earth.exe

Code function: 0_2_004561F0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

0_2_004561F0

Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_004013F4	0_2_004013F4
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_0040F520	0_2_0040F520
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_0049F010	0_2_0049F010
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_0049B08C	0_2_0049B08C
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00460170	0_2_00460170
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_0040C1E0	0_2_0040C1E0
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_0049D1F1	0_2_0049D1F1
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00448260	0_2_00448260
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_0047F260	0_2_0047F260
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00408290	0_2_00408290
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_0042F2A0	0_2_0042F2A0
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00420490	0_2_00420490
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00442570	0_2_00442570
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_004925B2	0_2_004925B2
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_0048E600	0_2_0048E600
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_004186B0	0_2_004186B0
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00482755	0_2_00482755
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_0041C700	0_2_0041C700
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_004897EE	0_2_004897EE
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_0043A7A0	0_2_0043A7A0
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_0043F870	0_2_0043F870
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_0040C800	0_2_0040C800
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_0049D8CD	0_2_0049D8CD
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00484970	0_2_00484970
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_004829C5	0_2_004829C5
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_004999EF	0_2_004999EF
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_0040DA40	0_2_0040DA40
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00496A05	0_2_00496A05
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00414AC0	0_2_00414AC0
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00432DD0	0_2_00432DD0
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00401DE0	0_2_00401DE0
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00481E4B	0_2_00481E4B
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00499F40	0_2_00499F40
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00475F00	0_2_00475F00
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00407FC0	0_2_00407FC0

Source: C:\Users\user\Desktop\The Earth.exe	Code function: String function: 00476750 appears 50 times
Source: C:\Users\user\Desktop\The Earth.exe	Code function: String function: 00430930 appears 268 times
Source: C:\Users\user\Desktop\The Earth.exe	Code function: String function: 0048FF69 appears 346 times
Source: C:\Users\user\Desktop\The Earth.exe	Code function: String function: 0049B270 appears 44 times
Source: C:\Users\user\Desktop\The Earth.exe	Code function: String function: 00430680 appears 80 times
Source: C:\Users\user\Desktop\The Earth.exe	Code function: String function: 004948A0 appears 33 times
Source: C:\Users\user\Desktop\The Earth.exe	Code function: String function: 0049016D appears 54 times
Source: C:\Users\user\Desktop\The Earth.exe	Code function: String function: 004766B0 appears 73 times

Source: The Earth.exe, 00000000.00000000.1198691660.00000000004CE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs The Earth.exe
Source: The Earth.exe	Binary or memory string: OriginalFilename vs The Earth.exe

Source: unknown

Driver loaded: C:\Windows\System32\cdd.dll

Source: The Earth.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal56.spyw.evad.winEXE@10/1@3/0

Source: C:\Users\user\Desktop\The Earth.exe

Code function: 0_2_00431620 __wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,_memset,CreateProcessW,CloseHandle,CloseHandle,GetLastError,_memset,__wcsicoll,_wcschr,SetCurrentDirectoryW,_wcschr,_wcschr,GetFileAttributesW,_wcschr,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetLastError,FormatMessageW,

0_2_00431620

Source: C:\Users\user\Desktop\The Earth.exe

Code function: 0_2_004561F0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

0_2_004561F0

Source: C:\Users\user\Desktop\The Earth.exe

Code function: 0_2_00440510 _wcsncpy,GetDiskFreeSpaceExW,

0_2_00440510

Source: C:\Users\user\Desktop\The Earth.exe

Code function: 0_2_00456400 CreateToolhelp32Snapshot,Process32FirstW,__wcstoi64,Process32NextW,__wsplitpath,__wcsicoll,Process32NextW,CloseHandle,CloseHandle,CloseHandle,

0_2_00456400

Source: C:\Users\user\Desktop\The Earth.exe

Code function: 0_2_00455330 CoInitialize,CoCreateInstance,__fassign,GetKeyboardLayout,__fassign,GetFullPathNameW,CoUninitialize,

0_2_00455330

Source: C:\Users\user\Desktop\The Earth.exe

Code function: 0_2_00478510 SystemParametersInfoW,LoadLibraryExW,EnumResourceNamesW,FindResourceW,LoadResource,LockResource,GetSystemMetrics,FindResourceW,LoadResource,LockResource,SizeofResource,CreateIconFromResourceEx,FreeLibrary,ExtractIconW,ExtractIconW,

0_2_00478510

Source: C:\Users\user\Desktop\The Earth.exe

File created: C:\Users\user\AppData\Local\Temp\g.jpeg

Jump to behavior

Source: C:\Users\user\Desktop\The Earth.exe	Command line argument: /restart	0_2_00403D40
Source: C:\Users\user\Desktop\The Earth.exe	Command line argument: /force	0_2_00403D40
Source: C:\Users\user\Desktop\The Earth.exe	Command line argument: /ErrorStdOut	0_2_00403D40
Source: C:\Users\user\Desktop\The Earth.exe	Command line argument: A_Args	0_2_00403D40
Source: C:\Users\user\Desktop\The Earth.exe	Command line argument: A_Args	0_2_00403D40
Source: C:\Users\user\Desktop\The Earth.exe	Command line argument: AutoHotkey	0_2_00403D40
Source: C:\Users\user\Desktop\The Earth.exe	Command line argument: AutoHotkey	0_2_00403D40
Source: C:\Users\user\Desktop\The Earth.exe	Command line argument: Clipboard	0_2_00403D40
Source: C:\Users\user\Desktop\The Earth.exe	Command line argument: @HI	0_2_00494790

Source: The Earth.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\The Earth.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: The Earth.exe

Virustotal: Detection: 12%

Source: unknown	Process created: C:\Users\user\Desktop\The Earth.exe "C:\Users\user\Desktop\The Earth.exe"
Source: unknown	Process created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x4 /state0:0xa3800855 /state1:0x41c64e6d
Source: unknown	Process created: C:\Windows\System32\fontdrvhost.exe "fontdrvhost.exe"
Source: unknown	Process created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa3804855 /state1:0x41c64e6d
Source: unknown	Process created: C:\Windows\System32\fontdrvhost.exe "fontdrvhost.exe"
Source: unknown	Process created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa3815855 /state1:0x41c64e6d
Source: unknown	Process created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa3822055 /state1:0x41c64e6d
Source: unknown	Process created: C:\Windows\System32\fontdrvhost.exe "fontdrvhost.exe"
Source: unknown	Process created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x2 /state0:0xa382a055 /state1:0x41c64e6d
Source: unknown	Process created: C:\Windows\System32\fontdrvhost.exe "fontdrvhost.exe"

Source: C:\Users\user\Desktop\The Earth.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\The Earth.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\The Earth.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\The Earth.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\The Earth.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\The Earth.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\The Earth.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\The Earth.exe	Section loaded: kbdsg.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: logoncontroller.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: windows.ui.logon.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: wincorlib.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: windows.ui.xamlhost.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: languageoverlayutil.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: windows.ui.xaml.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: windows.ui.xaml.controls.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: logoncontroller.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: logoncontroller.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: logoncontroller.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: logoncontroller.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Section loaded: winsta.dll	Jump to behavior

Source: C:\Windows\System32\LogonUI.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0bdc6fc7-83e3-46a4-bfa0-1bc14dbf8b38}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\The Earth.exe

Code function: 0_2_00448010 GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,_wcsncpy,_wcsrchr,WideCharToMultiByte,GetProcAddress,GetProcAddress,GetProcAddress,WideCharToMultiByte,GetModuleHandleW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00448010

Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_0042D4D4 push eax; iretd		0_2_0042D4D5
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_004948E5 push ecx; ret		0_2_004948F8

Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00460170 MulDiv,MulDiv,MulDiv,_wcschr,__wcsicoll,MulDiv,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,_wcschr,DrawTextW,DrawTextW,GetCharABCWidthsW,MulDiv,GetSystemMetrics,GetSystemMetrics,MulDiv,MulDiv,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetWindowLongW,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,CreateWindowExW,CreateWindowExW,CreateWindowExW,CreateWindowExW,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,CreateWindowExW,SendMessageW,CreateWindowExW,SendMessageW,SendMessageW,MulDiv,MulDiv,MulDiv,MoveWindow,SelectObject,ReleaseDC,SendMessageW,SendMessageW,GetClientRect,SetWindowLongW,SendMessageW,SetWindowLongW,MoveWindow,GetWindowRect,SendMessageW,SetWindowPos,GetWindowRect,MapWindowPoints,InvalidateRect,SetWindowPos,SetWindowPos,MapWindowPoints,	0_2_00460170
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00453120 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,CreateDCW,GetDC,GetPixel,DeleteDC,ReleaseDC,	0_2_00453120
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_0047A3E0 GetForegroundWindow,IsWindowVisible,IsIconic,ShowWindow,	0_2_0047A3E0
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00463410 GetWindowLongW,GetWindowLongW,GetWindowLongW,__wcsnicmp,__wcsnicmp,__wcsicoll,SetWindowPos,__wcsicoll,__wcsicoll,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,EnableWindow,__wcsnicmp,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,__wcsnicmp,MulDiv,MulDiv,__wcsnicmp,MulDiv,MulDiv,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcstoi64,IsWindow,SetParent,SetWindowLongW,SetParent,IsWindowVisible,IsIconic,SetWindowLongW,SetWindowLongW,SetWindowPos,InvalidateRect,	0_2_00463410
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00439490 GetForegroundWindow,IsWindowVisible,GetWindowThreadProcessId,IsZoomed,IsIconic,GetWindowLongW,GetModuleHandleW,GetProcAddress,	0_2_00439490
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_0047A520 GetWindowThreadProcessId,GetWindowThreadProcessId,GetForegroundWindow,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,SetForegroundWindow,SetForegroundWindow,GetForegroundWindow,GetWindow,AttachThreadInput,AttachThreadInput,BringWindowToTop,	0_2_0047A520
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_0046A590 SendMessageW,SendMessageW,SendMessageW,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,GetPropW,ShowWindow,GetUpdateRect,SendMessageW,GetWindowLongW,ShowWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,PtInRect,SetFocus,SendMessageW,SendMessageW,ShowWindow,SetFocus,InvalidateRect,InvalidateRect,InvalidateRect,MapWindowPoints,InvalidateRect,	0_2_0046A590
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00466740 SetWindowTextW,IsZoomed,IsIconic,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus,	0_2_00466740
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00466740 SetWindowTextW,IsZoomed,IsIconic,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetWindowRect,GetClientRect,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus,	0_2_00466740
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_0043A7A0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,SelectObject,DeleteDC,DeleteObject,_free,GetPixel,ReleaseDC,	0_2_0043A7A0
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_0043D800 GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,WindowFromPoint,EnumChildWindows,_memset,EnumChildWindows,GetClassNameW,EnumChildWindows,	0_2_0043D800
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_0043C970 SendMessageW,SendMessageW,SendMessageW,IsWindowVisible,ShowWindow,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,SendMessageW,	0_2_0043C970
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00477AB0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,	0_2_00477AB0
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00477B10 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,	0_2_00477B10
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_0043AFB0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,_wcsrchr,__wcsicoll,__wcsicoll,__wcsicoll,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,__wcsnicmp,__fassign,__wcsnicmp,_wcsncpy,__fassign,__fassign,__fassign,__fassign,GetDC,DestroyIcon,DeleteObject,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,_free,_free,_free,	0_2_0043AFB0

Source: C:\Windows\System32\LogonUI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Users\user\Desktop\The Earth.exe

API coverage: 3.0 %

Source: C:\Users\user\Desktop\The Earth.exe

Key opened: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\00000807

Jump to behavior

Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00413E50 GetKeyboardLayout followed by cmp: cmp al, 19h and CTI: ja 00413F3Fh country: Russian (ru)		0_2_00413E50
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00406F10 GetKeyboardLayout followed by cmp: cmp dword ptr [004cc1fch], ebx and CTI: je 004070D7h		0_2_00406F10

Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00456180 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00456180
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_004774C0 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose,	0_2_004774C0
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_004440A0 FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,	0_2_004440A0
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_0042E210 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,__wcstoi64,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,	0_2_0042E210
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00444380 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,	0_2_00444380
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00477430 FindFirstFileW,FindClose,GetFileAttributesW,	0_2_00477430
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_004446C0 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,	0_2_004446C0
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00455C10 GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,_wcsrchr,_wcsrchr,_wcsncpy,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,FindNextFileW,FindClose,	0_2_00455C10
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00472DE0 FindFirstFileW,FindClose,GetFileAttributesW,CreateFileW,WriteFile,WriteFile,WriteFile,CloseHandle,	0_2_00472DE0
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00454FA0 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,CoCreateInstance,CoUninitialize,	0_2_00454FA0

Source: C:\Windows\System32\cdd.dll

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\The Earth.exe

0_2_00411090

Source: C:\Users\user\Desktop\The Earth.exe

Code function: 0_2_004969F6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_004969F6

Source: C:\Users\user\Desktop\The Earth.exe

0_2_00448010

Source: C:\Users\user\Desktop\The Earth.exe

Code function: 0_2_0049C88E __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_0049C88E

Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00498532 SetUnhandledExceptionFilter,	0_2_00498532
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_004969F6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_004969F6
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00493DF5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00493DF5

Source: C:\Users\user\Desktop\The Earth.exe

0_2_00431620

Source: C:\Users\user\Desktop\The Earth.exe

0_2_00411090

Source: C:\Users\user\Desktop\The Earth.exe

Code function: 0_2_004562E0 mouse_event,

0_2_004562E0

Source: The Earth.exe	Binary or memory string: Program Manager
Source: The Earth.exe	Binary or memory string: Shell_TrayWnd
Source: The Earth.exe	Binary or memory string: Progman
Source: The Earth.exe, 00000000.00000002.1231245462.0000000000B30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: The Earth.exe	Binary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowDwmGetWindowAttributedwmapi.dllahk_idpidgroup%s%uProgram ManagerProgmanWorkerWError text not found (please report)Q\E{0,DEFINEUTF16)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument is compiled in 8 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory

Source: C:\Windows\System32\LogonUI.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation			Jump to behavior
Source: C:\Windows\System32\LogonUI.exe	Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\The Earth.exe

Code function: 0_2_004180E0 SetCurrentDirectoryW,GetSystemTimeAsFileTime,

0_2_004180E0

Source: C:\Users\user\Desktop\The Earth.exe

Code function: 0_2_00445F40 GetComputerNameW,GetUserNameW,

0_2_00445F40

Source: C:\Users\user\Desktop\The Earth.exe

Code function: 0_2_00414C41 GetModuleHandleW,GetProcAddress,GetVersionExW,__snwprintf,

0_2_00414C41

Source: The Earth.exe	Binary or memory string: WIN_XP
Source: The Earth.exe	Binary or memory string: WIN_VISTA
Source: The Earth.exe	Binary or memory string: WIN_7
Source: The Earth.exe	Binary or memory string: WIN_8
Source: The Earth.exe	Binary or memory string: ?A Goto/Gosub must not jump into a block that doesn't enclose it.ddddddd%02d%dmsSlowLogoffSingle1.1.33.08\AutoHotkey.exeWIN32_NTWIN_8.1WIN_8WIN_7WIN_VISTAWIN_XPWIN_2003WIN_2000%04hX0x%IxpPIntStrPtrShortInt64DoubleAStrWStrgdi32comctl32kernel32W-3-4CDecl-2This DllCall requires a prior VarSetCapacity.Pos%sLen%sPos%dLen%dLenMarkpcre_calloutCompile error %d at offset %d: %hs-+0 #diouxXeEfgGaAcCpULlTt%0.*fCcFfSelectVisCenterUniDescLogicalNoSortAutoHdrFirstBoldExpandGDI+JoyJoyXJoyYJoyZJoyRJoyUJoyVJoyPOVJoyNameJoyButtonsJoyAxesJoyInfoGetProcessImageFileNameWpsapi
Source: The Earth.exe	Binary or memory string: WIN_8.1

Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_00417010 Shell_NotifyIconW,DeleteObject,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DeleteObject,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,RemoveClipboardFormatListener,ChangeClipboardChain,mciSendStringW,mciSendStringW,mciSendStringW,DeleteCriticalSection,CoUninitialize,_free,_free,_free,		0_2_00417010
Source: C:\Users\user\Desktop\The Earth.exe	Code function: 0_2_004178B0 AddClipboardFormatListener,PostMessageW,SetClipboardViewer,RemoveClipboardFormatListener,ChangeClipboardChain,		0_2_004178B0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 LSASS Driver	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	121 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 LSASS Driver	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	121 Input Capture	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Access Token Manipulation	1 DLL Side-Loading	NTDS	35 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	1 Access Token Manipulation	LSA Secrets	2 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Process Injection	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
The Earth.exe	12%	Virustotal		Browse
The Earth.exe	6%	ReversingLabs

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
a-0003.a-msedge.net	204.79.197.203	true	false	high
pki-goog.l.google.com	142.250.185.227	true	false	high
s-part-0032.t-0009.t-msedge.net	13.107.246.60	true	false	high
otelrules.svc.static.microsoft	unknown	unknown	false	high
c.pki.goog	unknown	unknown	false	high
api.msn.com	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://autohotkey.com	The Earth.exe	false		high
https://autohotkey.comCould	The Earth.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1640030
Start date and time:	2025-03-16 21:54:58 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	4
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	The Earth.exe
Detection:	MAL
Classification:	mal56.spyw.evad.winEXE@10/1@3/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 39 Number of non-executed functions: 234
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Connection to analysis system has been lost, crash info: Unknown
Exclude process from analysis (whitelisted): dllhost.exe, sppsvc.exe, smss.exe, dwm.exe, csrss.exe, winlogon.exe, SIHClient.exe, SgrmBroker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.60.203.209, 4.245.163.56, 23.60.201.147, 2.19.104.63, 2.23.227.208, 2.23.227.215, 40.126.32.133, 40.126.32.138, 40.126.32.68, 20.190.160.130, 40.126.32.76, 20.190.160.132, 20.190.160.3, 20.190.160.20, 2.19.96.59, 2.19.96.75, 2.19.96.83, 2.19.96.64, 2.19.96.81, 2.19.96.74, 2.19.96.72, 2.19.96.67, 2.19.96.82
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, cdn.onenote.net.edgekey.net, e86303.dscx.akamaiedge.net, www.bing.com.edgekey.net, wildcard.weather.microsoft.com.edgekey.net, login.live.com, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, cdn.onenote.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, www.bing.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, e15275.d.akamaiedge.net, tile-service.weather.microsoft.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, www-www.bing.com.trafficmanager.net, login.msa.msidentity.com, e1553.dspg.akamaiedge.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:55:50	API Interceptor	1x Sleep call for process: The Earth.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pki-goog.l.google.com	zsd5jgZ9LU.exe	Get hash	malicious	DanaBot	Browse	142.250.185.99
	LaunchV.2.exe	Get hash	malicious	LummaC Stealer	Browse	142.250.186.99
	SecuriteInfo.com.Win32.RATX-gen.28955.11907.exe	Get hash	malicious	XWorm	Browse	142.250.184.227
	SecuriteInfo.com.Win32.RATX-gen.23694.15705.exe	Get hash	malicious	XWorm	Browse	172.217.18.3
	SecuriteInfo.com.Win32.RATX-gen.1407.14828.exe	Get hash	malicious	SugarDump, XWorm	Browse	142.250.186.67
	file.exe	Get hash	malicious	Vidar	Browse	142.250.185.163
	DiscordNitrofree2021.exe	Get hash	malicious	Unknown	Browse	142.250.181.227
	Install.exe	Get hash	malicious	LummaC Stealer, RHADAMANTHYS	Browse	142.250.184.195
	ShadowOF-Launcher.exe	Get hash	malicious	LummaC Stealer	Browse	142.250.184.227
	SoftWare.exe	Get hash	malicious	LummaC Stealer	Browse	142.250.184.227
bg.microsoft.map.fastly.net	USE INCASE OF A SEVERE FORKIE.exe	Get hash	malicious	Babadeda	Browse	199.232.210.172
	theants-2.0.3-Setup-dkp3z.7x5ols.spqn44#U007ex.exe	Get hash	malicious	Sality	Browse	199.232.210.172
	FNLJD8Q3.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	MTE PO - 0515-000112.xls	Get hash	malicious	Unknown	Browse	199.232.210.172
	zsd5jgZ9LU.exe	Get hash	malicious	DanaBot	Browse	199.232.214.172
	LaunchV.2.exe	Get hash	malicious	LummaC Stealer	Browse	199.232.214.172
	shit.exe.bin.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	attach.pdf	Get hash	malicious	Unknown	Browse	199.232.210.172
	AgnotSecurity.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	SecuriteInfo.com.Win32.RATX-gen.20425.5895.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
a-0003.a-msedge.net	USE INCASE OF A SEVERE FORKIE.exe	Get hash	malicious	Babadeda	Browse	204.79.197.203
	ExLoader_Installer.exe	Get hash	malicious	Python Stealer, Blank Grabber, Umbral Stealer, XWorm	Browse	204.79.197.203
	system.dll.exe	Get hash	malicious	Python Stealer, Braodo	Browse	204.79.197.203
	system.dll.exe	Get hash	malicious	Python Stealer, Braodo	Browse	204.79.197.203
	file.exe	Get hash	malicious	Vidar	Browse	204.79.197.203
	ImageG.exe	Get hash	malicious	NovaSentinel	Browse	204.79.197.203
	GlitchNote.exe	Get hash	malicious	Unknown	Browse	204.79.197.203
	work.js	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse	204.79.197.203
	Blue-Cloner-Signed.exe	Get hash	malicious	RedLine	Browse	204.79.197.203
	Bthvgkck.exe	Get hash	malicious	Unknown	Browse	204.79.197.203

Process:	C:\Users\user\Desktop\The Earth.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 640x487, components 3
Category:	dropped
Size (bytes):	29193
Entropy (8bit):	7.967293542609363
Encrypted:	false
SSDEEP:	768:2d2H9nLLU2CFl33ai6ZjFzV/niEey+BjkTcniU/:2d2lLg1Lnai6VRtUjj3/
MD5:	7D02D52D9300954CDE2230A5FB9FD713
SHA1:	47CE255E6BF716111115B1384CABC3332011461F
SHA-256:	B504466B52EC4549ED31AD8EE608919E7E23B0008B7244A1D133CB74051D680A
SHA-512:	0FEC7F3413D5DBA21573E37DF4C7DF7F6A906A760771CE3AB3CB2175138B8BC2A83EBED14D5D133EE65ABD9C155C66D8C71FCB3F6495E587F73D5122ED7BA37C
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."........................................I.......................!..1AQ.a.."q....2BR.3S....#Cbr....$4...5c..ETs.................................%.......................!Q.1..A"2#Rq............?...$.(._.\|r.H..A....4.....g.r..!6.\|...@.$}.....La.Q<..Pp.p...>(..t.Q...%.@.P...).P..`.".&....;."`..(@....P..E.5$...K<&.r...%$.I.y I.$r.4!.CP#.. .5...I..La...Y@..@....";&.0...bb.".(.I4.45.'..><.N..#.\..)}. Q........(.... ...XK.C=....O../$..(.@.@BY.)G.I....9O.4....... ........I.9.gD."P9.@`..!#..%&...B3.D...!..` ....SD.......:(#..'.....K...... . .d..t@..I..!.L.#.H..yO.#.P.y...y.(@..%1.$y@..!..c...9BG...O..QHL)5$..)r..I..!.5.CP..GD.4..L.. .)..H.Q..!..y.%..(.&...8.QK..{.D....(M....P..PyB2y@.!..>..% ..8....t.D.....nS.A..9...UBI....Da...M..e......T.%.EFz .>HN...F!..D..).0.....1.S...;...'.C.H.... S....r..P&.)5

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.743984654140264
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	The Earth.exe
File size:	961'024 bytes
MD5:	14a768ab6e61a8a0ee8daca2b9bd9dd5
SHA1:	353d126cbb0e58c5b819437430aa6ed39a8b66cd
SHA256:	e38326b7a229abce1d75a3256137dfb8f93327593b458436aa7b794329542115
SHA512:	023416457e1563d04554c723ead94baec483e971c42192638e1c6ab0805a3489d85cbccaff82d04968610de77c795e86a9ecdaaab96037e20decb67d5647b824
SSDEEP:	24576:0uE32YtcuBBgGQzNhY7UwJ4GYm2MSSFS32z0:up63wKGd2j3f
TLSH:	79159E52B3C7D0B2DFA626F3D6B487761939B938173C89CB7390283DE8906C16A35359
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+..6o..eo..eo..etp\|e[..etp}e...ef.Teh..ef.Der..eo..e...etpIer..etpxeD..etpMen..etpJen..eRicho..e........................PE..L..

File Icon


Icon Hash:	133939b8b95d631f

Static PE Info

General

Entrypoint:	0x492e13
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x6082799A [Fri Apr 23 07:39:06 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	7534b3971bfd7b1aa0f5a023d960bfad

Entrypoint Preview

Instruction
call 00007F632490D345h
jmp 00007F63249075DEh
int3
int3
int3
push esi
mov eax, dword ptr [esp+14h]
or eax, eax
jne 00007F632490777Ah
mov ecx, dword ptr [esp+10h]
mov eax, dword ptr [esp+0Ch]
xor edx, edx
div ecx
mov ebx, eax
mov eax, dword ptr [esp+08h]
div ecx
mov esi, eax
mov eax, ebx
mul dword ptr [esp+10h]
mov ecx, eax
mov eax, esi
mul dword ptr [esp+10h]
add edx, ecx
jmp 00007F6324907799h
mov ecx, eax
mov ebx, dword ptr [esp+10h]
mov edx, dword ptr [esp+0Ch]
mov eax, dword ptr [esp+08h]
shr ecx, 1
rcr ebx, 1
shr edx, 1
rcr eax, 1
or ecx, ecx
jne 00007F6324907746h
div ebx
mov esi, eax
mul dword ptr [esp+14h]
mov ecx, eax
mov eax, dword ptr [esp+10h]
mul esi
add edx, ecx
jc 00007F6324907760h
cmp edx, dword ptr [esp+0Ch]
jnbe 00007F632490775Ah
jc 00007F6324907761h
cmp eax, dword ptr [esp+08h]
jbe 00007F632490775Bh
dec esi
sub eax, dword ptr [esp+10h]
sbb edx, dword ptr [esp+14h]
xor ebx, ebx
sub eax, dword ptr [esp+08h]
sbb edx, dword ptr [esp+0Ch]
neg edx
neg eax
sbb edx, 00000000h
mov ecx, edx
mov edx, ebx
mov ebx, ecx
mov ecx, eax
mov eax, esi
pop esi
retn 0010h
sub eax, 000003A4h
je 00007F6324907774h
sub eax, 04h
je 00007F6324907769h
sub eax, 0Dh
je 00007F632490775Eh
dec eax
je 00007F6324907755h
xor eax, eax
ret
mov eax, 00000404h
ret
mov eax, 00000412h
ret
mov eax, 00000804h

Rich Headers

Programming Language:

[C++] VS2010 SP1 build 40219
[ C ] VS2010 SP1 build 40219
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc249c	0x12c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xce000	0x238ec	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa1000	0x744	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9f901	0x9fa00	c64cd53d52cb5a88effb21be15484b84	False	0.5521072949295223	data	6.61086577109022	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xa1000	0x23c1e	0x23e00	a8f8eab93d76788abf92711f7f41abbf	False	0.24069033101045295	data	4.821308658043694	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc5000	0x8f98	0x3400	7c1be292a66b58b674e9ca401dcd12aa	False	0.34337439903846156	data	3.873461701883194	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xce000	0x238ec	0x23a00	dc18bdc15aba3c6cbc3d9dbd62968b13	False	0.9123081140350877	data	7.695210311093567	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xce5b8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.6263326226012793
RT_ICON	0xcf460	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7635379061371841
RT_ICON	0xcfd08	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.8248847926267281
RT_ICON	0xd03d0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6941489361702128
RT_ICON	0xd0838	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6622340425531915
RT_ICON	0xd0ca0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6453900709219859
RT_ICON	0xd1108	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.6655405405405406
RT_ICON	0xd1230	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.6235549132947977
RT_ICON	0xd1798	0x13e36	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.0003805455304313
RT_ICON	0xe55d0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.6312240663900415
RT_ICON	0xe7b78	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6590056285178236
RT_ICON	0xe8c20	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.7213114754098361
RT_ICON	0xe95a8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.7606382978723404
RT_MENU	0xe9a10	0x2c8	data	English	United States	0.46207865168539325
RT_DIALOG	0xe9cd8	0xe8	data	English	United States	0.6206896551724138
RT_ACCELERATOR	0xe9dc0	0x48	data	English	United States	0.8194444444444444
RT_RCDATA	0xe9e08	0x113	ASCII text	English	United States	0.8
RT_RCDATA	0xe9f1c	0x7209	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 640x487, components 3	English	United States	0.9986640633028466
RT_GROUP_ICON	0xf1128	0x84	data	English	United States	0.6742424242424242
RT_GROUP_ICON	0xf11ac	0x14	data	English	United States	1.25
RT_GROUP_ICON	0xf11c0	0x14	data	English	United States	1.25
RT_GROUP_ICON	0xf11d4	0x14	data	English	United States	1.25
RT_GROUP_ICON	0xf11e8	0x14	data	English	United States	1.25
RT_VERSION	0xf11fc	0x1fc	data	English	United States	0.5059055118110236
RT_MANIFEST	0xf13f8	0x4f4	ASCII text, with very long lines (1268), with no line terminators	English	United States	0.4755520504731861

Imports

DLL	Import
WSOCK32.dll	gethostbyname, inet_addr, WSACleanup, gethostname, WSAStartup
WINMM.dll	mixerGetLineInfoW, mixerGetDevCapsW, mixerOpen, mciSendStringW, joyGetPosEx, mixerGetLineControlsW, mixerGetControlDetailsW, mixerSetControlDetails, waveOutGetVolume, mixerClose, waveOutSetVolume, joyGetDevCapsW
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
COMCTL32.dll	ImageList_Create, CreateStatusWindowW, ImageList_ReplaceIcon, InitCommonControlsEx, ImageList_GetIconSize, ImageList_Destroy, ImageList_AddMasked
PSAPI.DLL	GetModuleBaseNameW, GetModuleFileNameExW
WININET.dll	InternetOpenW, InternetOpenUrlW, InternetCloseHandle, InternetReadFileExA, InternetReadFile
KERNEL32.dll	GetSystemTimeAsFileTime, FindResourceW, SizeofResource, LoadResource, LockResource, GetFullPathNameW, GetShortPathNameW, FindFirstFileW, FindNextFileW, FindClose, FileTimeToLocalFileTime, SetEnvironmentVariableW, Beep, MoveFileW, OutputDebugStringW, CreateProcessW, GetFileAttributesW, WideCharToMultiByte, MultiByteToWideChar, GetExitCodeProcess, WriteProcessMemory, ReadProcessMemory, GetCurrentProcessId, OpenProcess, TerminateProcess, SetPriorityClass, SetLastError, GetEnvironmentVariableW, GetLocalTime, GetDateFormatW, GetTimeFormatW, GetDiskFreeSpaceExW, SetVolumeLabelW, CreateFileW, DeviceIoControl, GetDriveTypeW, GetVolumeInformationW, GetDiskFreeSpaceW, GetCurrentDirectoryW, CreateDirectoryW, ReadFile, WriteFile, DeleteFileW, SetFileAttributesW, LocalFileTimeToFileTime, GetModuleFileNameW, GetFileSizeEx, GetSystemTime, GetSystemDefaultUILanguage, GetComputerNameW, GetSystemWindowsDirectoryW, GetTempPathW, EnterCriticalSection, LeaveCriticalSection, VirtualProtect, QueryDosDeviceW, CompareStringW, RemoveDirectoryW, CopyFileW, GetCurrentProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, FormatMessageW, GetPrivateProfileStringW, GetPrivateProfileSectionW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, WritePrivateProfileSectionW, SetEndOfFile, GetACP, GetFileType, GetStdHandle, SetFilePointerEx, SystemTimeToFileTime, FileTimeToSystemTime, GetFileSize, VirtualAllocEx, VirtualFreeEx, EnumResourceNamesW, LoadLibraryExW, GlobalSize, HeapSize, HeapReAlloc, HeapFree, ExitProcess, HeapAlloc, InterlockedIncrement, InterlockedDecrement, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, UnhandledExceptionFilter, SetUnhandledExceptionFilter, DeleteCriticalSection, GetCPInfo, GetVersionExW, GetModuleHandleW, FreeLibrary, GetProcAddress, LoadLibraryW, GetLastError, CreateMutexW, CloseHandle, GetExitCodeThread, SetThreadPriority, CreateThread, GetStringTypeExW, lstrcmpiW, GetCurrentThreadId, GlobalUnlock, GlobalFree, GlobalAlloc, GlobalLock, SetErrorMode, InitializeCriticalSection, SetCurrentDirectoryW, Sleep, GetTickCount, MulDiv, IsDebuggerPresent, HeapCreate, InitializeCriticalSectionAndSpinCount, HeapQueryInformation, GetCommandLineW, HeapSetInformation, SetHandleCount, IsProcessorFeaturePresent, GetStringTypeW, RaiseException, LCMapStringW, RtlUnwind, GetConsoleCP, GetConsoleMode, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetStartupInfoW, SetFilePointer, FlushFileBuffers, WriteConsoleW, SetStdHandle, GetProcessHeap, SetFileTime, VirtualQuery
USER32.dll	GetDlgItem, SetDlgItemTextW, MessageBeep, ClientToScreen, GetCursorInfo, GetLastInputInfo, GetSystemMenu, GetMenuItemCount, GetMenuItemID, GetSubMenu, GetMenuStringW, ExitWindowsEx, SetMenu, FlashWindow, GetPropW, SetPropW, RemovePropW, MapWindowPoints, RedrawWindow, SetParent, GetClassInfoExW, GetAncestor, UpdateWindow, GetMessagePos, GetClassLongW, DefDlgProcW, CallWindowProcW, CheckRadioButton, IntersectRect, GetUpdateRect, PtInRect, CreateDialogIndirectParamW, CreateAcceleratorTableW, DestroyAcceleratorTable, InsertMenuItemW, SetMenuDefaultItem, RemoveMenu, SetMenuItemInfoW, IsMenu, GetMenuItemInfoW, CreateMenu, CreatePopupMenu, SetMenuInfo, AppendMenuW, DestroyMenu, TrackPopupMenuEx, GetDesktopWindow, CopyImage, CreateIconIndirect, CreateIconFromResourceEx, EnumClipboardFormats, GetWindow, BringWindowToTop, MessageBoxW, GetTopWindow, GetQueueStatus, SendDlgItemMessageW, EnableMenuItem, GetMenu, CreateWindowExW, RegisterClassExW, LoadCursorW, DestroyIcon, DestroyWindow, GetWindowTextLengthW, VkKeyScanExW, MapVirtualKeyExW, GetKeyboardLayoutNameW, ActivateKeyboardLayout, GetGUIThreadInfo, GetWindowTextW, mouse_event, WindowFromPoint, GetSystemMetrics, keybd_event, SetKeyboardState, GetKeyboardState, GetCursorPos, GetAsyncKeyState, AttachThreadInput, SendInput, UnregisterHotKey, RegisterHotKey, PostQuitMessage, SendMessageTimeoutW, UnhookWindowsHookEx, SetWindowsHookExW, PostThreadMessageW, IsCharAlphaNumericW, IsCharUpperW, IsCharLowerW, ToUnicodeEx, GetKeyboardLayout, CallNextHookEx, CharLowerW, ReleaseDC, GetDC, OpenClipboard, GetClipboardData, GetClipboardFormatNameW, CloseClipboard, SetClipboardData, EmptyClipboard, PostMessageW, FindWindowW, EndDialog, IsWindow, DispatchMessageW, TranslateMessage, ShowWindow, CountClipboardFormats, SetWindowLongW, ScreenToClient, IsDialogMessageW, SendMessageW, DialogBoxParamW, SetForegroundWindow, DefWindowProcW, FillRect, DrawIconEx, GetSysColorBrush, GetSysColor, RegisterWindowMessageW, GetMonitorInfoW, EnumDisplayMonitors, IsIconic, IsZoomed, LoadAcceleratorsW, EnumWindows, IsWindowEnabled, GetWindowLongW, GetKeyState, TranslateAcceleratorW, KillTimer, PeekMessageW, GetFocus, GetClassNameW, GetWindowThreadProcessId, GetForegroundWindow, GetMessageW, EnableWindow, InvalidateRect, SetLayeredWindowAttributes, SetWindowPos, SetWindowRgn, SetFocus, SetActiveWindow, EnumChildWindows, MoveWindow, GetWindowRect, GetClientRect, SystemParametersInfoW, AdjustWindowRectEx, DrawTextW, SetRect, GetIconInfo, SetWindowTextW, IsWindowVisible, BlockInput, CheckMenuItem, LoadImageW, SetTimer, GetParent, GetDlgCtrlID, CharUpperW, IsClipboardFormatAvailable, ChangeClipboardChain, MapVirtualKeyW, SetClipboardViewer, IsCharAlphaW
GDI32.dll	GetPixel, GetClipRgn, GetCharABCWidthsW, SetBkMode, CreatePatternBrush, SetBrushOrgEx, EnumFontFamiliesExW, CreateDIBSection, GdiFlush, SetBkColor, ExcludeClipRect, SetTextColor, GetClipBox, BitBlt, CreateCompatibleBitmap, GetSystemPaletteEntries, GetDIBits, CreateCompatibleDC, CreatePolygonRgn, CreateRectRgn, CreateRoundRectRgn, CreateEllipticRgn, DeleteDC, GetObjectW, GetTextMetricsW, GetTextFaceW, SelectObject, GetStockObject, CreateDCW, CreateSolidBrush, CreateFontW, FillRgn, GetDeviceCaps, DeleteObject
COMDLG32.dll	CommDlgExtendedError, GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, RegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, GetUserNameW, RegEnumKeyExW, RegEnumValueW, RegQueryInfoKeyW, RegOpenKeyExW, RegCloseKey, RegConnectRegistryW, RegDeleteValueW
SHELL32.dll	DragQueryPoint, SHEmptyRecycleBinW, SHFileOperationW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetDesktopFolder, SHGetMalloc, SHGetFolderPathW, ShellExecuteExW, Shell_NotifyIconW, DragFinish, DragQueryFileW, ExtractIconW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, CoInitialize, CoUninitialize, CLSIDFromString, CLSIDFromProgID, CoGetObject, StringFromGUID2, CreateStreamOnHGlobal
OLEAUT32.dll	SafeArrayGetLBound, GetActiveObject, OleLoadPicture, SafeArrayUnaccessData, SafeArrayGetElemsize, SafeArrayAccessData, SafeArrayUnlock, SafeArrayPtrOfIndex, SafeArrayLock, SafeArrayGetDim, SafeArrayDestroy, SafeArrayGetUBound, VariantCopyInd, SafeArrayCopy, SysAllocString, VariantChangeType, VariantClear, SafeArrayCreate, SysFreeString, SysStringLen

Version Infos

Description	Data
FileDescription
FileVersion	1.1.33.08
InternalName
LegalCopyright
OriginalFilename
ProductName
ProductVersion	1.1.33.08
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 16, 2025 21:56:22.037312984 CET	51984	53	192.168.2.12	1.1.1.1
Mar 16, 2025 21:56:22.043879032 CET	53	51984	1.1.1.1	192.168.2.12
Mar 16, 2025 21:56:29.811472893 CET	63685	53	192.168.2.12	1.1.1.1
Mar 16, 2025 21:56:29.858328104 CET	53	63685	1.1.1.1	192.168.2.12
Mar 16, 2025 21:57:25.253441095 CET	59803	53	192.168.2.12	1.1.1.1
Mar 16, 2025 21:57:25.260073900 CET	53	59803	1.1.1.1	192.168.2.12

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 16, 2025 21:56:22.037312984 CET	192.168.2.12	1.1.1.1	0xc629	Standard query (0)	api.msn.com	A (IP address)	IN (0x0001)	false
Mar 16, 2025 21:56:29.811472893 CET	192.168.2.12	1.1.1.1	0x5064	Standard query (0)	otelrules.svc.static.microsoft	A (IP address)	IN (0x0001)	false
Mar 16, 2025 21:57:25.253441095 CET	192.168.2.12	1.1.1.1	0xb55b	Standard query (0)	c.pki.goog	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 16, 2025 21:56:07.820893049 CET	1.1.1.1	192.168.2.12	0x6265	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Mar 16, 2025 21:56:07.820893049 CET	1.1.1.1	192.168.2.12	0x6265	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Mar 16, 2025 21:56:22.043879032 CET	1.1.1.1	192.168.2.12	0xc629	No error (0)	api.msn.com	api-msn-com-oneservice-world-default.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 16, 2025 21:56:22.043879032 CET	1.1.1.1	192.168.2.12	0xc629	No error (0)	api-msn-com-oneservice-world-default.trafficmanager.net	api-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 16, 2025 21:56:22.043879032 CET	1.1.1.1	192.168.2.12	0xc629	No error (0)	api-msn-com.a-0003.a-msedge.net	a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 16, 2025 21:56:22.043879032 CET	1.1.1.1	192.168.2.12	0xc629	No error (0)	a-0003.a-msedge.net		204.79.197.203	A (IP address)	IN (0x0001)	false
Mar 16, 2025 21:56:29.858328104 CET	1.1.1.1	192.168.2.12	0x5064	No error (0)	otelrules.svc.static.microsoft	otelrules-bzhndjfje8dvh5fd.z01.azurefd.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 16, 2025 21:56:29.858328104 CET	1.1.1.1	192.168.2.12	0x5064	No error (0)	otelrules-bzhndjfje8dvh5fd.z01.azurefd.net	star-azurefd-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 16, 2025 21:56:29.858328104 CET	1.1.1.1	192.168.2.12	0x5064	No error (0)	star-azurefd-prod.trafficmanager.net	shed.dual-low.s-part-0032.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 16, 2025 21:56:29.858328104 CET	1.1.1.1	192.168.2.12	0x5064	No error (0)	shed.dual-low.s-part-0032.t-0009.t-msedge.net	s-part-0032.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 16, 2025 21:56:29.858328104 CET	1.1.1.1	192.168.2.12	0x5064	No error (0)	s-part-0032.t-0009.t-msedge.net		13.107.246.60	A (IP address)	IN (0x0001)	false
Mar 16, 2025 21:57:25.260073900 CET	1.1.1.1	192.168.2.12	0xb55b	No error (0)	c.pki.goog	pki-goog.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 16, 2025 21:57:25.260073900 CET	1.1.1.1	192.168.2.12	0xb55b	No error (0)	pki-goog.l.google.com		142.250.185.227	A (IP address)	IN (0x0001)	false
Mar 16, 2025 21:57:26.088244915 CET	1.1.1.1	192.168.2.12	0x8296	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Mar 16, 2025 21:57:26.088244915 CET	1.1.1.1	192.168.2.12	0x8296	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	16:55:50
Start date:	16/03/2025
Path:	C:\Users\user\Desktop\The Earth.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\The Earth.exe"
Imagebase:	0x400000
File size:	961'024 bytes
MD5 hash:	14A768AB6E61A8A0EE8DACA2B9BD9DD5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:55:53
Start date:	16/03/2025
Path:	C:\Windows\System32\LogonUI.exe
Wow64 process (32bit):	false
Commandline:	"LogonUI.exe" /flags:0x4 /state0:0xa3800855 /state1:0x41c64e6d
Imagebase:	0x7ff643aa0000
File size:	13'824 bytes
MD5 hash:	893144FE49AA16124B5BD3034E79BBC6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	16:55:55
Start date:	16/03/2025
Path:	C:\Windows\System32\cdd.dll
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff64e110000
File size:	267'264 bytes
MD5 hash:	9B684213A399B4E286982BDAD6CF3D07
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	16:55:55
Start date:	16/03/2025
Path:	C:\Windows\System32\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	"fontdrvhost.exe"
Imagebase:	0x7ff7185b0000
File size:	827'408 bytes
MD5 hash:	BBCB897697B3442657C7D6E3EDDBD25F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	16:55:55
Start date:	16/03/2025
Path:	C:\Windows\System32\LogonUI.exe
Wow64 process (32bit):	false
Commandline:	"LogonUI.exe" /flags:0x2 /state0:0xa3804855 /state1:0x41c64e6d
Imagebase:	0x7ff643aa0000
File size:	13'824 bytes
MD5 hash:	893144FE49AA16124B5BD3034E79BBC6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	16:55:58
Start date:	16/03/2025
Path:	C:\Windows\System32\cdd.dll
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	267'264 bytes
MD5 hash:	9B684213A399B4E286982BDAD6CF3D07
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	16:55:58
Start date:	16/03/2025
Path:	C:\Windows\System32\fontdrvhost.exe
Wow64 process (32bit):	true
Commandline:	"fontdrvhost.exe"
Imagebase:	0x300000
File size:	827'408 bytes
MD5 hash:	BBCB897697B3442657C7D6E3EDDBD25F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	16:55:58
Start date:	16/03/2025
Path:	C:\Windows\System32\LogonUI.exe
Wow64 process (32bit):	false
Commandline:	"LogonUI.exe" /flags:0x2 /state0:0xa3815855 /state1:0x41c64e6d
Imagebase:	0x7ff643aa0000
File size:	13'824 bytes
MD5 hash:	893144FE49AA16124B5BD3034E79BBC6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	16:55:59
Start date:	16/03/2025
Path:	C:\Windows\System32\cdd.dll
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	267'264 bytes
MD5 hash:	9B684213A399B4E286982BDAD6CF3D07
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	16:55:59
Start date:	16/03/2025
Path:	C:\Windows\System32\LogonUI.exe
Wow64 process (32bit):	false
Commandline:	"LogonUI.exe" /flags:0x2 /state0:0xa3822055 /state1:0x41c64e6d
Imagebase:	0x7ff643aa0000
File size:	13'824 bytes
MD5 hash:	893144FE49AA16124B5BD3034E79BBC6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	16:55:59
Start date:	16/03/2025
Path:	C:\Windows\System32\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	"fontdrvhost.exe"
Imagebase:	0x7ff7185b0000
File size:	827'408 bytes
MD5 hash:	BBCB897697B3442657C7D6E3EDDBD25F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	16:56:09
Start date:	16/03/2025
Path:	C:\Windows\System32\cdd.dll
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	267'264 bytes
MD5 hash:	9B684213A399B4E286982BDAD6CF3D07
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	16:56:09
Start date:	16/03/2025
Path:	C:\Windows\System32\LogonUI.exe
Wow64 process (32bit):	true
Commandline:	"LogonUI.exe" /flags:0x2 /state0:0xa382a055 /state1:0x41c64e6d
Imagebase:	0x300000
File size:	13'824 bytes
MD5 hash:	893144FE49AA16124B5BD3034E79BBC6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	16:56:09
Start date:	16/03/2025
Path:	C:\Windows\System32\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	"fontdrvhost.exe"
Imagebase:	0x7ff7185b0000
File size:	827'408 bytes
MD5 hash:	BBCB897697B3442657C7D6E3EDDBD25F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report The Earth.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\g.jpeg

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Windows Analysis Report
The Earth.exe