Windows Analysis Report
SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe

Overview

General Information

Sample name: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe
Analysis ID: 1446070
MD5: 4a47cddaecb9c32a7dda070fa85534ee
SHA1: 5f0794d9906e046fbd7d6aebcf8320bf63717bf8
SHA256: 6091ebc6ab4572afe5fb8f16ddff0d6395abf68e19baf572442940e4344f977b
Tags: exe
Infos:

Detection

Score: 4
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00452A60 FindFirstFileA,GetLastError, 1_2_00452A60
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00474F88 FindFirstFileA,FindNextFileA,FindClose, 1_2_00474F88
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose, 1_2_004980A4
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_00464158
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00462750 FindFirstFileA,FindNextFileA,FindClose, 1_2_00462750
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_00463CDC
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2465220778.0000000006020000.00000004.00001000.00020000.00000000.sdmp, TXT to ePub converter.exe, 00000005.00000000.2463906666.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-IAGUC.tmp.1.dr String found in binary or memory: http://www.daisy.org/z3986/2005/ncx/
Source: is-IAGUC.tmp.1.dr String found in binary or memory: http://www.epubforwindows.com
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2468314414.0000000002081000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2065845650.0000000002081000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2065760061.0000000002340000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2067802930.0000000002218000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2466398394.0000000002218000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2067734484.0000000003100000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.epubforwindows.com/
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2468314414.0000000002081000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2065845650.0000000002081000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2067802930.0000000002218000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2466398394.0000000002218000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.epubforwindows.com/.
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2465220778.0000000006020000.00000004.00001000.00020000.00000000.sdmp, TXT to ePub converter.exe, 00000005.00000000.2463906666.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-IAGUC.tmp.1.dr String found in binary or memory: http://www.epubforwindows.com/buynow.htm
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2465220778.0000000006020000.00000004.00001000.00020000.00000000.sdmp, TXT to ePub converter.exe, 00000005.00000000.2463906666.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-IAGUC.tmp.1.dr String found in binary or memory: http://www.epubforwindows.com/buynow.htmU
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2465220778.0000000006020000.00000004.00001000.00020000.00000000.sdmp, TXT to ePub converter.exe, 00000005.00000000.2463906666.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-IAGUC.tmp.1.dr String found in binary or memory: http://www.idpf.org/2007/opf
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-736GC.tmp.1.dr, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp.0.dr String found in binary or memory: http://www.innosetup.com/
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2468314414.0000000002081000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2065845650.0000000002081000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2065760061.0000000002340000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2465905142.0000000000823000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2067802930.0000000002218000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000002.2467674961.000000000083B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2466398394.0000000002218000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2067734484.0000000003100000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000003.2465974307.000000000083A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.luckhan.com/
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2066259101.0000000002094000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2066126533.0000000002340000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-736GC.tmp.1.dr, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp.0.dr String found in binary or memory: http://www.remobjects.com/ps
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2066259101.0000000002094000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2066126533.0000000002340000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp, 00000001.00000002.2467266313.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-736GC.tmp.1.dr, SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp.0.dr String found in binary or memory: http://www.remobjects.com/psU
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00423B84 NtdllDefWindowProc_A, 1_2_00423B84
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_004125D8 NtdllDefWindowProc_A, 1_2_004125D8
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00478AC0 NtdllDefWindowProc_A, 1_2_00478AC0
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_0042F520 NtdllDefWindowProc_A, 1_2_0042F520
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00457594 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A, 1_2_00457594
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_0042E934: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError, 1_2_0042E934
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 1_2_004555E4
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe Code function: 0_2_0040840C 0_2_0040840C
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_004706A8 1_2_004706A8
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_004809F7 1_2_004809F7
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_004673A4 1_2_004673A4
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_0043035C 1_2_0043035C
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_004444C8 1_2_004444C8
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_004345C4 1_2_004345C4
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00444A70 1_2_00444A70
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00486BD0 1_2_00486BD0
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00430EE8 1_2_00430EE8
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_0045F0C4 1_2_0045F0C4
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00445168 1_2_00445168
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_0045B174 1_2_0045B174
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_004352C8 1_2_004352C8
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00469404 1_2_00469404
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00445574 1_2_00445574
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_004519BC 1_2_004519BC
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00487B30 1_2_00487B30
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_0043DD50 1_2_0043DD50
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_0048DF54 1_2_0048DF54
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: String function: 00408C0C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: String function: 00406AC4 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: String function: 0040595C appears 117 times
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: String function: 00457F1C appears 73 times
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: String function: 00403400 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: String function: 00445DD4 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: String function: 00457D10 appears 96 times
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: String function: 004344DC appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: String function: 004078F4 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: String function: 00403494 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: String function: 00403684 appears 225 times
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: String function: 00453344 appears 97 times
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: String function: 004460A4 appears 59 times
PE file contains executable resources (Code or Archives)
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp.0.dr Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-736GC.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-736GC.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-736GC.tmp.1.dr Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2066259101.0000000002094000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe, 00000000.00000003.2066126533.0000000002340000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe
Uses 32bit PE files
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engine Classification label: clean4.winEXE@5/18@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 1_2_004555E4
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00455E0C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceExA,GetDiskFreeSpaceA, 1_2_00455E0C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe Code function: 0_2_00409C34 FindResourceA,SizeofResource,LoadResource,LockResource, 0_2_00409C34
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp File created: C:\Program Files (x86)\txt to epub converter Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp File created: C:\Users\user\AppData\Local\Programs Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe File created: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp Jump to behavior
Source: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe String found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
Source: SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe String found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe "C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe Process created: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp "C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp" /SL5="$203F2,492927,56832,C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe"
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Process created: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe "C:\Program Files (x86)\txt to epub converter\TXT to epub converter.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe Process created: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp "C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp" /SL5="$203F2,492927,56832,C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Process created: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe "C:\Program Files (x86)\txt to epub converter\TXT to epub converter.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: TXT to ePub Converter.lnk.1.dr LNK file: ..\..\..\..\..\..\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe
Source: Uninstall TXT to ePub Converter.lnk.1.dr LNK file: ..\..\..\..\..\..\Program Files (x86)\txt to epub converter\unins000.exe
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Window found: window name: TSelectLanguageForm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Automated click: I accept the agreement
Source: Window Recorder Window detected: More than 3 window changes detected
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_004502C0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe Code function: 0_2_004065C8 push 00406605h; ret 0_2_004065FD
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe Code function: 0_2_004040B5 push eax; ret 0_2_004040F1
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe Code function: 0_2_00408104 push ecx; mov dword ptr [esp], eax 0_2_00408109
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe Code function: 0_2_00404185 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe Code function: 0_2_00404206 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe Code function: 0_2_0040C218 push eax; ret 0_2_0040C219
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe Code function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe Code function: 0_2_00404283 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe Code function: 0_2_00408F38 push 00408F6Bh; ret 0_2_00408F63
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_0040994C push 00409989h; ret 1_2_00409981
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00483F88 push 00484096h; ret 1_2_0048408E
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_004062B4 push ecx; mov dword ptr [esp], eax 1_2_004062B5
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_004104E0 push ecx; mov dword ptr [esp], edx 1_2_004104E5
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00412928 push 0041298Bh; ret 1_2_00412983
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00494CAC push ecx; mov dword ptr [esp], ecx 1_2_00494CB1
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_0040CE38 push ecx; mov dword ptr [esp], edx 1_2_0040CE3A
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_004592D0 push 00459314h; ret 1_2_0045930C
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_0040F398 push ecx; mov dword ptr [esp], edx 1_2_0040F39A
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00443440 push ecx; mov dword ptr [esp], ecx 1_2_00443444
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_0040546D push eax; ret 1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_0040553D push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_004055BE push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00485678 push ecx; mov dword ptr [esp], ecx 1_2_0048567D
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_0040563B push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_004517F8 push 0045182Bh; ret 1_2_00451823
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_004519BC push ecx; mov dword ptr [esp], eax 1_2_004519C1
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00477B08 push ecx; mov dword ptr [esp], edx 1_2_00477B09
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00419C28 push ecx; mov dword ptr [esp], ecx 1_2_00419C2D
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_0045FD1C push ecx; mov dword ptr [esp], ecx 1_2_0045FD20
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00499D30 pushad ; retf 1_2_00499D3F
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp File created: C:\Program Files (x86)\txt to epub converter\is-IAGUC.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp File created: C:\Users\user\AppData\Local\Temp\is-4PPEK.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp File created: C:\Program Files (x86)\txt to epub converter\TXT to ePub converter.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe File created: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp File created: C:\Program Files (x86)\txt to epub converter\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp File created: C:\Program Files (x86)\txt to epub converter\is-736GC.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp File created: C:\Users\user\AppData\Local\Temp\is-4PPEK.tmp\_isetup\_setup64.tmp Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\txt to epub converter Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\txt to epub converter\TXT to ePub Converter.lnk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\txt to epub converter\Uninstall TXT to ePub Converter.lnk Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_0042285C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 1_2_0042285C
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 1_2_00423C0C
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 1_2_00423C0C
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_004241DC IsIconic,SetActiveWindow,SetFocus, 1_2_004241DC
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00424194 IsIconic,SetActiveWindow, 1_2_00424194
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00418384 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 1_2_00418384
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00417598 IsIconic,GetCapture, 1_2_00417598
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_0048393C IsIconic,GetWindowLongA,ShowWindow,ShowWindow, 1_2_0048393C
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00417CCE IsIconic,SetWindowPos, 1_2_00417CCE
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00417CD0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 1_2_00417CD0
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_0041F118 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 1_2_0041F118
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-4PPEK.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Dropped PE file which has not been started: C:\Program Files (x86)\txt to epub converter\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Dropped PE file which has not been started: C:\Program Files (x86)\txt to epub converter\is-736GC.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-4PPEK.tmp\_isetup\_setup64.tmp Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe Evasive API call chain: GetSystemTime,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00452A60 FindFirstFileA,GetLastError, 1_2_00452A60
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00474F88 FindFirstFileA,FindNextFileA,FindClose, 1_2_00474F88
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose, 1_2_004980A4
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_00464158
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00462750 FindFirstFileA,FindNextFileA,FindClose, 1_2_00462750
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_00463CDC
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe Code function: 0_2_00409B78 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery, 0_2_00409B78
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Process information queried: ProcessInformation Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_004502C0
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_00478504 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle, 1_2_00478504
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_0042E09C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid, 1_2_0042E09C
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe Code function: GetLocaleInfoA, 0_2_0040520C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe Code function: GetLocaleInfoA, 0_2_00405258
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: GetLocaleInfoA, 1_2_00408568
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: GetLocaleInfoA, 1_2_004085B4
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_004585C8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle, 1_2_004585C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe Code function: 0_2_004026C4 GetSystemTime, 0_2_004026C4
Source: C:\Users\user\AppData\Local\Temp\is-V3QT6.tmp\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp Code function: 1_2_0045559C GetUserNameA, 1_2_0045559C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe Code function: 0_2_00405CF4 GetVersionExA, 0_2_00405CF4
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1446070 Sample: SecuriteInfo.com.BScope.Tro... Startdate: 22/05/2024 Architecture: WINDOWS Score: 4 6 SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.exe 2 2->6         started        file3 14 SecuriteInfo.com.B...aler.3956.28708.tmp, PE32 6->14 dropped 9 SecuriteInfo.com.BScope.TrojanPSW.Stealer.3956.28708.tmp 27 26 6->9         started        process4 file5 16 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 9->16 dropped 18 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 9->18 dropped 20 C:\...\unins000.exe (copy), PE32 9->20 dropped 22 3 other files (none is malicious) 9->22 dropped 12 TXT to ePub converter.exe 1 9->12         started        process6
No contacted IP infos