Source: STjk6HCD1P.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: STjk6HCD1P.exe |
Static PE information: certificate valid |
Source: STjk6HCD1P.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Code function: 0_2_00406435 FindFirstFileA,FindClose, |
0_2_00406435 |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Code function: 0_2_00405889 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, |
0_2_00405889 |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Code function: 0_2_004027A1 FindFirstFileA, |
0_2_004027A1 |
Source: unknown |
DNS traffic detected: query: 171.39.242.20.in-addr.arpa replaycode: Name error (3) |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa |
Source: STjk6HCD1P.exe |
String found in binary or memory: http://nsis.sf.net/NSIS_Error |
Source: STjk6HCD1P.exe |
String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Code function: 0_2_00405326 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, |
0_2_00405326 |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Code function: 0_2_6E441D68 GetDlgCtrlID,OpenClipboard,GetClipboardData,GlobalLock,lstrlenA,SendMessageA,GlobalUnlock,CloseClipboard,CallWindowProcA, |
0_2_6E441D68 |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Code function: 0_2_00403312 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_00403312 |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Code function: 0_2_004067BE |
0_2_004067BE |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Code function: 0_2_6E491A98 |
0_2_6E491A98 |
Source: STjk6HCD1P.exe, 00000000.00000002.2958799598.0000000000471000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameKsodrSetup.exe2 vs STjk6HCD1P.exe |
Source: STjk6HCD1P.exe |
Binary or memory string: OriginalFilenameKsodrSetup.exe2 vs STjk6HCD1P.exe |
Source: STjk6HCD1P.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: classification engine |
Classification label: clean5.winEXE@1/4@1/0 |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Code function: 0_2_00403312 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_00403312 |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Code function: 0_2_004045D7 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, |
0_2_004045D7 |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar, |
0_2_0040216B |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Mutant created: \Sessions\1\BaseNamedObjects\{53172BE5-3880-4172-A62C-B5EB4447E1DB} |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Mutant created: \Sessions\1\BaseNamedObjects\------------ksodr setup------------ |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
File created: C:\Users\user\AppData\Local\Temp\nsd6C9.tmp |
Jump to behavior |
Source: STjk6HCD1P.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
File read: C:\Users\user\Desktop\STjk6HCD1P.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Section loaded: dwmapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Section loaded: oleacc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Section loaded: shfolder.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Section loaded: riched20.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Section loaded: usp10.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Section loaded: msls31.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
File written: C:\Users\user\AppData\Local\Temp\nsj786.tmp\ioSpecial.ini |
Jump to behavior |
Source: STjk6HCD1P.exe |
Static PE information: certificate valid |
Source: STjk6HCD1P.exe |
Static file information: File size 45208600 > 1048576 |
Source: STjk6HCD1P.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Code function: 0_2_6E491A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, |
0_2_6E491A98 |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Code function: 0_2_6E492F60 push eax; ret |
0_2_6E492F8E |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
File created: C:\Users\user\AppData\Local\Temp\nsj786.tmp\System.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
File created: C:\Users\user\AppData\Local\Temp\nsj786.tmp\InstallOptions.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Code function: 0_2_6E44140B wsprintfA,lstrcpyA,GetPrivateProfileStringA,lstrcpyA,CharNextA, |
0_2_6E44140B |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj786.tmp\System.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj786.tmp\InstallOptions.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Code function: 0_2_00406435 FindFirstFileA,FindClose, |
0_2_00406435 |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Code function: 0_2_00405889 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, |
0_2_00405889 |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Code function: 0_2_004027A1 FindFirstFileA, |
0_2_004027A1 |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Code function: 0_2_6E491A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, |
0_2_6E491A98 |
Source: C:\Users\user\Desktop\STjk6HCD1P.exe |
Code function: 0_2_00403312 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
0_2_00403312 |