Windows Analysis Report
XF-Sublime-KG.exe

Overview

General Information

Sample Name: XF-Sublime-KG.exe
Analysis ID: 811712
MD5: 7302bf749281240439214bcbfb334a5a
SHA1: 576204f2c01ca78370c25d3147f8cbed73b7c205
SHA256: e2ee8ae987d783ec5cd4ee7cc8ac968f0ddd85cbd40eacce0df57dea00dc1417
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
PE file has nameless sections
Machine Learning detection for sample
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
PE file contains more sections than normal
Contains functionality to dynamically determine API calls
Found large amount of non-executed APIs
Contains functionality to detect virtual machines (SIDT)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: XF-Sublime-KG.exe ReversingLabs: Detection: 42%
Source: XF-Sublime-KG.exe Virustotal: Detection: 35% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Virustotal: Detection: 18% Perma Link
Machine Learning detection for sample
Source: XF-Sublime-KG.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.XF-Sublime-KG.exe.286606e.1.unpack Avira: Label: TR/Patched.Ren.Gen
Uses 32bit PE files
Source: XF-Sublime-KG.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: XF-Sublime-KG.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\XF-Sublime-KG.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\XF-Sublime-KG.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\Desktop\XF-Sublime-KG.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: XF-Sublime-KG.exe, 00000000.00000002.521940680.0000000002865000.00000004.00000020.00020000.00000000.sdmp, XF-Sublime-KG.exe, 00000001.00000002.522451285.00000000734C6000.00000008.00000001.01000000.00000005.sdmp, nst2ED8.tmp.0.dr, libwinpthread-1.dll.0.dr String found in binary or memory: http://mingw-w64.sourceforge.net/X
Source: XF-Sublime-KG.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\XF-Sublime-KG.exe Code function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405809

System Summary
barindex
PE file has nameless sections
Source: BASSMOD.dll.0.dr Static PE information: section name:
Source: BASSMOD.dll.0.dr Static PE information: section name:
Uses 32bit PE files
Source: XF-Sublime-KG.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Sample file is different than original file name gathered from version info
Source: XF-Sublime-KG.exe, 00000000.00000002.521940680.0000000002865000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWinPthreadGCp( vs XF-Sublime-KG.exe
Source: XF-Sublime-KG.exe, 00000001.00000002.522451285.00000000734C6000.00000008.00000001.01000000.00000005.sdmp Binary or memory string: OriginalFilenameWinPthreadGCp( vs XF-Sublime-KG.exe
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\XF-Sublime-KG.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Detected potential crypto function
Source: C:\Users\user\Desktop\XF-Sublime-KG.exe Code function: 0_2_00406D5F 0_2_00406D5F
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_00B739A0 1_2_00B739A0
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_00B77D50 1_2_00B77D50
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_00B76A90 1_2_00B76A90
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_100028F0 1_2_100028F0
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_10010534 1_2_10010534
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_1000ADA0 1_2_1000ADA0
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_100031D8 1_2_100031D8
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_10001B00 1_2_10001B00
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_10009B49 1_2_10009B49
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_10001790 1_2_10001790
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_6CE4B4C0 1_2_6CE4B4C0
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_6CE4FC90 1_2_6CE4FC90
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_6CE4847C 1_2_6CE4847C
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_6CE49C53 1_2_6CE49C53
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_6CE4F420 1_2_6CE4F420
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_6CE56DD7 1_2_6CE56DD7
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_6CE4D5A1 1_2_6CE4D5A1
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_6CE4FEE0 1_2_6CE4FEE0
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_6CE4F6C0 1_2_6CE4F6C0
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_6CE50EC0 1_2_6CE50EC0
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_6CE4D6D8 1_2_6CE4D6D8
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_6CE4DE38 1_2_6CE4DE38
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_6CE468E0 1_2_6CE468E0
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_6CE4F8F0 1_2_6CE4F8F0
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_6CE508B0 1_2_6CE508B0
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_6CE48061 1_2_6CE48061
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_6CE49820 1_2_6CE49820
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_6CE4C830 1_2_6CE4C830
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_6CE47030 1_2_6CE47030
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_6CE501C0 1_2_6CE501C0
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_6CE4C9D4 1_2_6CE4C9D4
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_6CE4D974 1_2_6CE4D974
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_6CE52AB0 1_2_6CE52AB0
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_6CE4CA91 1_2_6CE4CA91
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_6CE50A9C 1_2_6CE50A9C
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_6CE54A10 1_2_6CE54A10
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_6CE46BD0 1_2_6CE46BD0
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_6CE503A0 1_2_6CE503A0
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_6CE47330 1_2_6CE47330
PE file contains more sections than normal
Source: libwinpthread-1.dll.0.dr Static PE information: Number of sections : 11 > 10
Source: BASSMOD.dll.0.dr Static PE information: Section: ZLIB complexity 1.0005039687539372
Source: XF-Sublime-KG.exe ReversingLabs: Detection: 42%
Source: XF-Sublime-KG.exe Virustotal: Detection: 35%
Source: C:\Users\user\Desktop\XF-Sublime-KG.exe File read: C:\Users\user\Desktop\XF-Sublime-KG.exe Jump to behavior
Source: XF-Sublime-KG.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\XF-Sublime-KG.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\XF-Sublime-KG.exe C:\Users\user\Desktop\XF-Sublime-KG.exe
Source: C:\Users\user\Desktop\XF-Sublime-KG.exe Process created: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe
Source: C:\Users\user\Desktop\XF-Sublime-KG.exe Process created: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Jump to behavior
Source: C:\Users\user\Desktop\XF-Sublime-KG.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\XF-Sublime-KG.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_00B72EF4 DragQueryFileA,DragQueryFileA,DragQueryFileA,DragQueryFileA,free,DragFinish,DragAcceptFiles,LoadIconA,SendMessageA,SendMessageA,SetWindowTextA,CreateFontA,GetDlgItem,GetDlgItem,SendMessageA,SendMessageA,GetDlgItem,SendMessageA,GetDlgItem,SendMessageA,SetDlgItemTextA,SetDlgItemTextA,SetDlgItemTextA,FindResourceA,SizeofResource,LoadResource,LockResource,BASSMOD_MusicLoad,BASSMOD_MusicGetLength,BASSMOD_MusicPlay,PostMessageA,MessageBoxA,DragAcceptFiles,PostMessageA,LoadCursorA,SetCursor,SetDlgItemTextA,GetDlgItemTextA,SetDlgItemTextA,BASSMOD_MusicPlay,MessageBoxIndirectA,MessageBoxIndirectA,LoadCursorA,SetCursor,SetDlgItemTextA,malloc,EndDialog,BASSMOD_MusicPause,MessageBoxIndirectA,MessageBoxIndirectA, 1_2_00B72EF4
Source: C:\Users\user\Desktop\XF-Sublime-KG.exe File created: C:\Users\user\AppData\Local\Temp\nst2ED7.tmp Jump to behavior
Source: classification engine Classification label: mal64.winEXE@3/6@0/0
Source: C:\Users\user\Desktop\XF-Sublime-KG.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\XF-Sublime-KG.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\XF-Sublime-KG.exe Code function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404AB5
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Window detected: Number of UI elements: 14
Source: XF-Sublime-KG.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_00B7E1BB push ebx; ret 1_2_00B7E1BE
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_00B7C9FB pushfd ; retf 1_2_00B7CA01
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_00B7C96D pushfd ; retf 1_2_00B7C973
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_00B7CF96 push es; iretd 1_2_00B7D174
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_1000E989 push FF3F95A1h; ret 1_2_1000E9B9
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_1000CBA0 push eax; ret 1_2_1000CBCE
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_6CE414E0 push dword ptr [eax+04h]; ret 1_2_6CE4150F
PE file contains sections with non-standard names
Source: BASSMOD.dll.0.dr Static PE information: section name:
Source: BASSMOD.dll.0.dr Static PE information: section name:
Source: libgcc_s_dw2-1.dll.0.dr Static PE information: section name: /4
Source: libtomcrypt.dll.0.dr Static PE information: section name: UPX2
Source: libwinpthread-1.dll.0.dr Static PE information: section name: /4
Source: XF-Sublime-KG.exe.0.dr Static PE information: section name: .eh_fram
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_00B714E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00B714E0
Source: initial sample Static PE information: section name: entropy: 7.982708398519935
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Drops PE files
Source: C:\Users\user\Desktop\XF-Sublime-KG.exe File created: C:\Users\user\AppData\Local\Temp\libtomcrypt.dll Jump to dropped file
Source: C:\Users\user\Desktop\XF-Sublime-KG.exe File created: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Jump to dropped file
Source: C:\Users\user\Desktop\XF-Sublime-KG.exe File created: C:\Users\user\AppData\Local\Temp\libwinpthread-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\XF-Sublime-KG.exe File created: C:\Users\user\AppData\Local\Temp\libgcc_s_dw2-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\XF-Sublime-KG.exe File created: C:\Users\user\AppData\Local\Temp\BASSMOD.dll Jump to dropped file
Source: C:\Users\user\Desktop\XF-Sublime-KG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Last function: Thread delayed
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe API coverage: 4.3 %
Contains functionality to detect virtual machines (SIDT)
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_6CE5DD17 sidt fword ptr [edx] 1_2_6CE5DD17
Source: C:\Users\user\Desktop\XF-Sublime-KG.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\XF-Sublime-KG.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\Desktop\XF-Sublime-KG.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: C:\Users\user\Desktop\XF-Sublime-KG.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\XF-Sublime-KG.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_00B714E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00B714E0
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_00B7116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit, 1_2_00B7116C
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_00B711A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv, 1_2_00B711A3
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_00B71160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv, 1_2_00B71160
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_00B713C1 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm, 1_2_00B713C1
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Code function: 1_2_10001000 cpuid 1_2_10001000
Source: C:\Users\user\AppData\Local\Temp\XF-Sublime-KG.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\XF-Sublime-KG.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 811712 Sample: XF-Sublime-KG.exe Startdate: 19/02/2023 Architecture: WINDOWS Score: 64 20 Multi AV Scanner detection for submitted file 2->20 22 Machine Learning detection for sample 2->22 24 PE file has nameless sections 2->24 6 XF-Sublime-KG.exe 14 2->6         started        process3 file4 12 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 6->12 dropped 14 C:\Users\user\AppData\...\libtomcrypt.dll, PE32 6->14 dropped 16 C:\Users\user\AppData\...\libgcc_s_dw2-1.dll, PE32 6->16 dropped 18 2 other files (1 malicious) 6->18 dropped 9 XF-Sublime-KG.exe 6->9         started        process5 signatures6 26 Multi AV Scanner detection for dropped file 9->26
No contacted IP infos