Edit tour

Windows Analysis Report
SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe

Overview

General Information

Sample name:	SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe
Analysis ID:	1665804
MD5:	2191df558e41b894bb7de46b73d22b04
SHA1:	517965b53c86831cd88dad1c63653e347e442f53
SHA256:	40f5ae4aaa26d50dd35cbb46a252ab16314af9c0957d8ac7ca62c2f8a6497c0a
Tags:	exeuser-SecuriteInfoCom
Infos:

Detection

Score:	56
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64

SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe (PID: 3840 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe" MD5: 2191DF558E41B894BB7DE46B73D22B04)

conhost.exe (PID: 352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe PID: 3840	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Desktop\Overlunky.exe

ReversingLabs: Detection: 22%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	ReversingLabs: Detection: 22%
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Virustotal: Detection: 22%			Perma Link

Source: unknown	HTTPS traffic detected: 140.82.112.4:443 -> 192.168.2.4:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49712 version: TLS 1.2

Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe

Code function: 0_2_00007FF6A5D421E0 ?fail@ios_base@std@@QEBA_NXZ,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort,

0_2_00007FF6A5D421E0

Source: Joe Sandbox View	IP Address: 140.82.112.4 140.82.112.4
Source: Joe Sandbox View	IP Address: 185.199.108.133 185.199.108.133
Source: Joe Sandbox View	IP Address: 185.199.108.133 185.199.108.133

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe

Code function: 0_2_00007FF6A5D136D0 InternetGetConnectedState,InternetOpenA,lstrlenA,InternetOpenUrlA,remove,rename,__acrt_iob_func,fflush,__acrt_iob_func,fflush,fopen_s,InternetCloseHandle,__acrt_iob_func,fflush,__acrt_iob_func,__acrt_iob_func,fflush,__acrt_iob_func,__acrt_iob_func,fflush,__acrt_iob_func,InternetCloseHandle,__acrt_iob_func,fflush,__acrt_iob_func,fflush,HttpQueryInfoA,InternetReadFile,fwrite,InternetReadFile,fwrite,fflush,fclose,InternetCloseHandle,fclose,InternetCloseHandle,__acrt_iob_func,fflush,__acrt_iob_func,

0_2_00007FF6A5D136D0

Source: global traffic	HTTP traffic detected: GET /spelunky-fyi/overlunky/releases/download/whip/Overlunky.dll HTTP/1.1Accept: /User-Agent: Overlunky UpdaterHost: github.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/311203851/4c20cd6b-9a4f-404f-ade4-198a3c7ba37e?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250415%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250415T191913Z&X-Amz-Expires=300&X-Amz-Signature=68173c69b20cb01feb7ec9c1f6df168b384c29de5975c18bacffbf8bccc4a058&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DOverlunky.dll&response-content-type=application%2Foctet-stream HTTP/1.1Accept: /User-Agent: Overlunky UpdaterCache-Control: no-cacheHost: objects.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /spelunky-fyi/overlunky/releases/download/whip/Overlunky.exe HTTP/1.1Accept: /User-Agent: Overlunky UpdaterHost: github.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/311203851/d7b11efa-8940-401f-808f-e581f33bea1b?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250415%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250415T191924Z&X-Amz-Expires=300&X-Amz-Signature=cdcc470fcb3f80e87f9edeefb924c29916eb519192931a5838d21c72df5391b9&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DOverlunky.exe&response-content-type=application%2Foctet-stream HTTP/1.1Accept: /User-Agent: Overlunky UpdaterCache-Control: no-cacheHost: objects.githubusercontent.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: objects.githubusercontent.com

Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000002.3628948650.00007FFC9B62F000.00000002.00000001.01000000.00000009.sdmp, Overlunky.dll.0.dr	String found in binary or memory: http://github.com/kikito/inspect.lua
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000002.3628948650.00007FFC9B62F000.00000002.00000001.01000000.00000009.sdmp, Overlunky.dll.0.dr	String found in binary or memory: http://scripts.sil.org/cms/scripts/page.php?site_id=nrsi&id=iws-appendixa
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000002.3628948650.00007FFC9B62F000.00000002.00000001.01000000.00000009.sdmp, Overlunky.dll.0.dr	String found in binary or memory: http://www.dearimgui.org/faq/
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000002.3628948650.00007FFC9B62F000.00000002.00000001.01000000.00000009.sdmp, Overlunky.dll.0.dr	String found in binary or memory: http://www.dearimgui.org/faq/ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~%
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000002.3628948650.00007FFC9B62F000.00000002.00000001.01000000.00000009.sdmp, Overlunky.dll.0.dr	String found in binary or memory: https://api.github.com/repos/spelunky-fyi/overlunky/git/ref/tags/whip
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000002.3624491053.0000016B67B6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000002.3624710287.0000016B67BBB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000003.3463965408.0000016B67BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/p
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000002.3628948650.00007FFC9B62F000.00000002.00000001.01000000.00000009.sdmp, Overlunky.dll.0.dr	String found in binary or memory: https://github.com/spelunky-fyi/overlunky#overlunky
Source: Overlunky.exe.0.dr	String found in binary or memory: https://github.com/spelunky-fyi/overlunky/releases/download/whip/Overlunky.dll
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000002.3624710287.0000016B67BBB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000003.3463965408.0000016B67BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/spelunky-fyi/overlunky/releases/download/whip/Overlunky.dll3
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, Overlunky.exe.0.dr	String found in binary or memory: https://github.com/spelunky-fyi/overlunky/releases/download/whip/Overlunky.exe
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, Overlunky.exe.0.dr	String found in binary or memory: https://github.com/spelunky-fyi/overlunky/releases/download/whip/Overlunky.exe../Spel2.exetrueupdate
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000002.3628948650.00007FFC9B62F000.00000002.00000001.01000000.00000009.sdmp, Overlunky.dll.0.dr	String found in binary or memory: https://github.com/spelunky-fyi/overlunky/releases/tag/whip
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000002.3624710287.0000016B67BBB000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000003.3463965408.0000016B67BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/y
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000003.1170316193.0000016B67BFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://objects.githubusercontent.com/
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000003.1170185282.0000016B67BF8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000003.1170316193.0000016B67BFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://objects.githubusercontent.com/_
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000003.3463867505.0000016B67C2D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000003.3463932641.0000016B67C3E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000002.3625112771.0000016B67C42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://objects.githubusercontent.com/github-production-
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000003.1170409408.0000016B67C4C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000003.3463932641.0000016B67C3E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000002.3625112771.0000016B67C42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/311203851/4c20cd6b-9a4f
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000003.3463965408.0000016B67BDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/311203851/d7b11efa-8940
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000003.1170185282.0000016B67BF8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000003.1170316193.0000016B67BFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://objects.githubusercontent.com/o
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000002.3628948650.00007FFC9B62F000.00000002.00000001.01000000.00000009.sdmp, Overlunky.dll.0.dr	String found in binary or memory: https://spelunky-fyi.github.io/overlunky/
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000002.3628948650.00007FFC9B62F000.00000002.00000001.01000000.00000009.sdmp, Overlunky.dll.0.dr	String found in binary or memory: https://spelunky-fyi.github.io/overlunky/Read

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 140.82.112.4:443 -> 192.168.2.4:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.4:49712 version: TLS 1.2

Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000002.3628948650.00007FFC9B62F000.00000002.00000001.01000000.00000009.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_0b8d1242-7

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe PID: 3840, type: MEMORYSTR

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Code function: 0_2_00007FF6A5D16F20	0_2_00007FF6A5D16F20
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Code function: 0_2_00007FF6A5D11290	0_2_00007FF6A5D11290
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Code function: 0_2_00007FF6A5D1B250	0_2_00007FF6A5D1B250
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Code function: 0_2_00007FF6A5D29700	0_2_00007FF6A5D29700
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Code function: 0_2_00007FF6A5D3E700	0_2_00007FF6A5D3E700
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Code function: 0_2_00007FF6A5D3C6F0	0_2_00007FF6A5D3C6F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Code function: 0_2_00007FF6A5D2A6D0	0_2_00007FF6A5D2A6D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Code function: 0_2_00007FF6A5D30660	0_2_00007FF6A5D30660
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Code function: 0_2_00007FF6A5D3D600	0_2_00007FF6A5D3D600
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Code function: 0_2_00007FF6A5D3D0D0	0_2_00007FF6A5D3D0D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Code function: 0_2_00007FF6A5D3A000	0_2_00007FF6A5D3A000
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Code function: 0_2_00007FF6A5D257F0	0_2_00007FF6A5D257F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Code function: 0_2_00007FF6A5D3D7D0	0_2_00007FF6A5D3D7D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Code function: 0_2_00007FF6A5D32790	0_2_00007FF6A5D32790
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Code function: 0_2_00007FF6A5D1AF70	0_2_00007FF6A5D1AF70
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Code function: 0_2_00007FF6A5D33A90	0_2_00007FF6A5D33A90
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Code function: 0_2_00007FF6A5D3AA00	0_2_00007FF6A5D3AA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Code function: 0_2_00007FF6A5D421E0	0_2_00007FF6A5D421E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Code function: 0_2_00007FF6A5D2A9B0	0_2_00007FF6A5D2A9B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Code function: 0_2_00007FF6A5D379B0	0_2_00007FF6A5D379B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Code function: 0_2_00007FF6A5D40970	0_2_00007FF6A5D40970
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Code function: 0_2_00007FF6A5D40140	0_2_00007FF6A5D40140
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Code function: 0_2_00007FF6A5D29500	0_2_00007FF6A5D29500
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Code function: 0_2_00007FF6A5D3ECF0	0_2_00007FF6A5D3ECF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Code function: 0_2_00007FF6A5D38490	0_2_00007FF6A5D38490
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Code function: 0_2_00007FF6A5D14C40	0_2_00007FF6A5D14C40
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Code function: 0_2_00007FF6A5D3A430	0_2_00007FF6A5D3A430
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Code function: 0_2_00007FF6A5D3AB80	0_2_00007FF6A5D3AB80

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe

Code function: String function: 00007FF6A5D28400 appears 58 times

Source: classification engine

Classification label: mal56.winEXE@2/3@2/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe

Code function: 0_2_00007FF6A5D24220 CreateToolhelp32Snapshot,memset,Process32First,Process32Next,strrchr,strlen,memcpy,memcpy,_invalid_parameter_noinfo_noreturn,__std_terminate,

0_2_00007FF6A5D24220

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe

File created: C:\Users\user\Desktop\Overlunky.dll

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:352:120:WilError_03

Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	ReversingLabs: Detection: 22%
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Virustotal: Detection: 22%

Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: Formatting exception: --inject use the old injection method instead of Detours with --launch_game
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: [info] --inject use the old injection method instead of Detours with --launch_game
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: [panic] Injecting failed, maybe you should try --launch_game instead...
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: Formatting exception:Injecting failed, maybe you should try --launch_game instead...
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: [info] --help show this helpful help
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: [info] --help show this helpful help
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: Formatting exception: --launch_game [path] launch ../Spel2.exe, path/Spel2.exe, or a specific exe, and load OL with Detours
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: [info] Already injected, let's not do that again. If you want to inject multiple game processes, use the --launch_game parameter.
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: [info] --launch_game [path] launch ../Spel2.exe, path/Spel2.exe, or a specific exe, and load OL with Detours
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: [info] Without --launch_game the launcher will search for a process called Spel2.exe and inject OL when found.
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: Formatting exception: --help show this helpful help
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: Formatting exception: --help show this helpful help
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: Formatting exception:Already injected, let's not do that again. If you want to inject multiple game processes, use the --launch_game parameter.
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: Formatting exception:Without --launch_game the launcher will search for a process called Spel2.exe and inject OL when found.
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: [info] Without --launch_game the launcher will search for a process called Spel2.exe and inject OL when found.
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: [info] --inject use the old injection method instead of Detours with --launch_game
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: [info] --help show this helpful help
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: [info] --help show this helpful help
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: [info] --launch_game [path] launch ../Spel2.exe, path/Spel2.exe, or a specific exe, and load OL with Detours
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: [panic] Injecting failed, maybe you should try --launch_game instead...
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: [info] Already injected, let's not do that again. If you want to inject multiple game processes, use the --launch_game parameter.
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: Formatting exception: --launch_game [path] launch ../Spel2.exe, path/Spel2.exe, or a specific exe, and load OL with Detours
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: Formatting exception: --help show this helpful help
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: Formatting exception: --help show this helpful help
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: Formatting exception: --inject use the old injection method instead of Detours with --launch_game
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: Formatting exception:Already injected, let's not do that again. If you want to inject multiple game processes, use the --launch_game parameter.
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: Formatting exception:Without --launch_game the launcher will search for a process called Spel2.exe and inject OL when found.
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: Formatting exception:Injecting failed, maybe you should try --launch_game instead...
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: [info] --launch_game [path] launch ../Spel2.exe, path/Spel2.exe, or a specific exe, and load OL with Detours
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: [info] --help show this helpful help
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: [info] --help show this helpful help
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: [info] --inject use the old injection method instead of Detours with --launch_game
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: [info] Already injected, let's not do that again. If you want to inject multiple game processes, use the --launch_game parameter.
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: [info] Without --launch_game the launcher will search for a process called Spel2.exe and inject OL when found.
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: [panic] Injecting failed, maybe you should try --launch_game instead...
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: {}{}Formatting exception:Cannot find the address of the library in current process: {}Formatting exception:Cannot find library in the target process: {}Formatting exception:Overlunky DLL version: {}Formatting exception:Overlunky EXE version: {}Formatting exception:Found Spel2.exe PID: {}Formatting exception:Cannot find the address of the function in current process: {} :: {}Formatting exception:Injecting DLL into process... {}Formatting exception:Launching game... {}Formatting exception:Launching game with DLL... {}Formatting exception:DLL not found! {}Formatting exception:Allocation failed: {:#x}OverlunkyImagehlpApiVersionExbad castformat specifier requires numeric argumentFormatting exception:AutoUpdate: Can't connect to the internetinjectFormatting exception: --oldflip launch the game with -oldflip, may improve performance with external windowsstatusexistsFormatting exception: --launch_game [path] launch ../Spel2.exe, path/Spel2.exe, or a specific exe, and load OL with DetoursSymSetOptionsSymGetOptions%s:%d: assertion failed: %s.detourOverlunky Updaterunknown format specifierinvalid format specifierupdate_launcherprecision is not integerwidth is not integerinvalid format specifier for charinfo_dumpFormatting exception: --help show this helpful helpoldflipUnknown exceptioninvalid string positionFormatting exception: --version show version informationdll_versionOverlunky.versionnegative precisioninvalid precision_CorExeMainnansystemstring pointer is null\Overlunky.dllhttps://github.com/spelunky-fyi/overlunky/releases/download/whip/Overlunky.dll\info_dump.dllcanonicalbad array new lengthnegative widthvector too longstring too longcannot switch from automatic to manual argument indexingcannot switch from manual to automatic argument indexingmissing '}' in format stringunmatched '}' in format stringinvalid format stringnumber is too biginf0123456789abcdefSymInitializehttps://github.com/spelunky-fyi/overlunky/releases/download/whip/Overlunky.exe../Spel2.exetrueupdateOverlunky UpdatefalseFormatting exception: --inject use the old injection method instead of Detours with --launch_gameSymFromNameconsoleFormatting exception:AutoUpdate: Can't write new filecannot write to fileargument not foundOverlunky.dll.oldOverlunky.exe.oldFormatting exception: --update_launcher update launcher to the latest WHIP buildFormatting exception: --update reset AutoUpdate setting and update launcher and DLL to the latest WHIP buildFormatting exception:DLL injecteddisabledFormatting exception: --console keep console open to debug scripts etcgenericwbFormatting exception:AutoUpdate: Can't connect to githubFormatting exception:AutoUpdate: Can't get version information from githubFormatting exception:AutoUpdate: Can't get release information from githubFormatting exception:AutoUpdate: Can't read file from githubWINDIRNANFormatting exception:Game launched with DLLFormatting
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: {}{}Formatting exception:Cannot find the address of the library in current process: {}Formatting exception:Cannot find library in the target process: {}Formatting exception:Overlunky DLL version: {}Formatting exception:Overlunky EXE version: {}Formatting exception:Found Spel2.exe PID: {}Formatting exception:Cannot find the address of the function in current process: {} :: {}Formatting exception:Injecting DLL into process... {}Formatting exception:Launching game... {}Formatting exception:Launching game with DLL... {}Formatting exception:DLL not found! {}Formatting exception:Allocation failed: {:#x}OverlunkyImagehlpApiVersionExbad castformat specifier requires numeric argumentFormatting exception:AutoUpdate: Can't connect to the internetinjectFormatting exception: --oldflip launch the game with -oldflip, may improve performance with external windowsstatusexistsFormatting exception: --launch_game [path] launch ../Spel2.exe, path/Spel2.exe, or a specific exe, and load OL with DetoursSymSetOptionsSymGetOptions%s:%d: assertion failed: %s.detourOverlunky Updaterunknown format specifierinvalid format specifierupdate_launcherprecision is not integerwidth is not integerinvalid format specifier for charinfo_dumpFormatting exception: --help show this helpful helpoldflipUnknown exceptioninvalid string positionFormatting exception: --version show version informationdll_versionOverlunky.versionnegative precisioninvalid precision_CorExeMainnansystemstring pointer is null\Overlunky.dllhttps://github.com/spelunky-fyi/overlunky/releases/download/whip/Overlunky.dll\info_dump.dllcanonicalbad array new lengthnegative widthvector too longstring too longcannot switch from automatic to manual argument indexingcannot switch from manual to automatic argument indexingmissing '}' in format stringunmatched '}' in format stringinvalid format stringnumber is too biginf0123456789abcdefSymInitializehttps://github.com/spelunky-fyi/overlunky/releases/download/whip/Overlunky.exe../Spel2.exetrueupdateOverlunky UpdatefalseFormatting exception: --inject use the old injection method instead of Detours with --launch_gameSymFromNameconsoleFormatting exception:AutoUpdate: Can't write new filecannot write to fileargument not foundOverlunky.dll.oldOverlunky.exe.oldFormatting exception: --update_launcher update launcher to the latest WHIP buildFormatting exception: --update reset AutoUpdate setting and update launcher and DLL to the latest WHIP buildFormatting exception:DLL injecteddisabledFormatting exception: --console keep console open to debug scripts etcgenericwbFormatting exception:AutoUpdate: Can't connect to githubFormatting exception:AutoUpdate: Can't get version information from githubFormatting exception:AutoUpdate: Can't get release information from githubFormatting exception:AutoUpdate: Can't read file from githubWINDIRNANFormatting exception:Game launched with DLLFormatting
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	String found in binary or memory: {}{}Formatting exception:Cannot find the address of the library in current process: {}Formatting exception:Cannot find library in the target process: {}Formatting exception:Overlunky DLL version: {}Formatting exception:Overlunky EXE version: {}Formatting exception:Found Spel2.exe PID: {}Formatting exception:Cannot find the address of the function in current process: {} :: {}Formatting exception:Injecting DLL into process... {}Formatting exception:Launching game... {}Formatting exception:Launching game with DLL... {}Formatting exception:DLL not found! {}Formatting exception:Allocation failed: {:#x}OverlunkyImagehlpApiVersionExbad castformat specifier requires numeric argumentFormatting exception:AutoUpdate: Can't connect to the internetinjectFormatting exception: --oldflip launch the game with -oldflip, may improve performance with external windowsstatusexistsFormatting exception: --launch_game [path] launch ../Spel2.exe, path/Spel2.exe, or a specific exe, and load OL with DetoursSymSetOptionsSymGetOptions%s:%d: assertion failed: %s.detourOverlunky Updaterunknown format specifierinvalid format specifierupdate_launcherprecision is not integerwidth is not integerinvalid format specifier for charinfo_dumpFormatting exception: --help show this helpful helpoldflipUnknown exceptioninvalid string positionFormatting exception: --version show version informationdll_versionOverlunky.versionnegative precisioninvalid precision_CorExeMainnansystemstring pointer is null\Overlunky.dllhttps://github.com/spelunky-fyi/overlunky/releases/download/whip/Overlunky.dll\info_dump.dllcanonicalbad array new lengthnegative widthvector too longstring too longcannot switch from automatic to manual argument indexingcannot switch from manual to automatic argument indexingmissing '}' in format stringunmatched '}' in format stringinvalid format stringnumber is too biginf0123456789abcdefSymInitializehttps://github.com/spelunky-fyi/overlunky/releases/download/whip/Overlunky.exe../Spel2.exetrueupdateOverlunky UpdatefalseFormatting exception: --inject use the old injection method instead of Detours with --launch_gameSymFromNameconsoleFormatting exception:AutoUpdate: Can't write new filecannot write to fileargument not foundOverlunky.dll.oldOverlunky.exe.oldFormatting exception: --update_launcher update launcher to the latest WHIP buildFormatting exception: --update reset AutoUpdate setting and update launcher and DLL to the latest WHIP buildFormatting exception:DLL injecteddisabledFormatting exception: --console keep console open to debug scripts etcgenericwbFormatting exception:AutoUpdate: Can't connect to githubFormatting exception:AutoUpdate: Can't get version information from githubFormatting exception:AutoUpdate: Can't get release information from githubFormatting exception:AutoUpdate: Can't read file from githubWINDIRNANFormatting exception:Game launched with DLLFormatting

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe "C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe

Code function: 0_2_00007FF6A5D23300 _getche,LoadLibraryA,GetProcAddress,__acrt_iob_func,fflush,__acrt_iob_func,__acrt_iob_func,fflush,__acrt_iob_func,fflush,memcpy,memcpy,puts,puts,puts,puts,

0_2_00007FF6A5D23300

Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Static PE information: section name: .00cfg
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Static PE information: section name: .detourc
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Static PE information: section name: .detourd
Source: Overlunky.dll.0.dr	Static PE information: section name: .00cfg
Source: Overlunky.dll.0.dr	Static PE information: section name: .detourc
Source: Overlunky.dll.0.dr	Static PE information: section name: .detourd
Source: Overlunky.exe.0.dr	Static PE information: section name: .00cfg
Source: Overlunky.exe.0.dr	Static PE information: section name: .detourc
Source: Overlunky.exe.0.dr	Static PE information: section name: .detourd

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	File created: C:\Users\user\Desktop\Overlunky.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	File created: C:\Users\user\Desktop\Overlunky.exe			Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Window / User API: threadDelayed 428	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Window / User API: threadDelayed 3765	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Window / User API: threadDelayed 2442	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Window / User API: threadDelayed 1508	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Window / User API: threadDelayed 783	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe

Dropped PE file which has not been started: C:\Users\user\Desktop\Overlunky.dll

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe

API coverage: 9.2 %

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe TID: 5324

Thread sleep time: -85600s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe

0_2_00007FF6A5D421E0

Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000002.3624710287.0000016B67BDF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000003.3463965408.0000016B67BDF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW7
Source: SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000002.3624710287.0000016B67BDF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000002.3624710287.0000016B67B9F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000003.3463965408.0000016B67B9D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe, 00000000.00000003.3463965408.0000016B67BDF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe

Code function: 0_2_00007FF6A5D42F60 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF6A5D42F60

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe

Code function: 0_2_00007FF6A5D23300 _getche,LoadLibraryA,GetProcAddress,__acrt_iob_func,fflush,__acrt_iob_func,__acrt_iob_func,fflush,__acrt_iob_func,fflush,memcpy,memcpy,puts,puts,puts,puts,

0_2_00007FF6A5D23300

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Code function: 0_2_00007FF6A5D42F60 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6A5D42F60
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Code function: 0_2_00007FF6A5D42F50 SetUnhandledExceptionFilter,	0_2_00007FF6A5D42F50
Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe	Code function: 0_2_00007FF6A5D43308 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6A5D43308

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe

Code function: GetLocaleInfoEx,FormatMessageA,

0_2_00007FF6A5D42ACC

Source: C:\Users\user\Desktop\SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe

Code function: 0_2_00007FF6A5D435B0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6A5D435B0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Masquerading	11 Input Capture	1 System Time Discovery	Remote Services	11 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
SecuriteInfo.com.W64.ABApplication.VEVX-3560.5245.14683.exe