Windows
Analysis Report
SecuriteInfo.com.Adware.InstallCore.768.7677.16658.exe
Overview
General Information
Detection
Score: | 8 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 20% |
Signatures
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found potential string decryption / allocating functions
HTML body with high number of embedded images detected
HTML body with high number of large embedded background images detected
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Too many similar processes found
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
SecuriteInfo.com.Adware.InstallCore.768.7677.16658.exe (PID: 3204 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. Adware.Ins tallCore.7 68.7677.16 658.exe" MD5: 8C9D7C62D1C19373BB581D879F012B33) SecuriteInfo.com.Adware.InstallCore.768.7677.16658.tmp (PID: 2912 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-P7M 8L.tmp\Sec uriteInfo. com.Adware .InstallCo re.768.767 7.16658.tm p" /SL5="$ 203EE,6985 3475,53248 ,C:\Users\ user\Deskt op\Securit eInfo.com. Adware.Ins tallCore.7 68.7677.16 658.exe" MD5: 52950AC9E2B481453082F096120E355A) msiexec.exe (PID: 6828 cmdline:
"C:\Window s\System32 \msiexec.e xe" /qn /i "C:\Progr am Files ( x86)\AVS4Y OU\AVSVide oEditor\vc redist.msi " MD5: 9D09DC1EDA745A5F87553048E57620CF) WMFDist11.exe (PID: 6040 cmdline:
"C:\Progra m Files (x 86)\AVS4YO U\AVSVideo Editor\WMF Dist11.exe " /Q:A /R: N MD5: 0ACA9C0DD652AD1340266AC775C1E7AD) regsvr32.exe (PID: 6792 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Windows\ system32\m sxml3.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) regsvr32.exe (PID: 5832 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Program Files (x86 )\Common F iles\AVSMe dia\Active X\AVSUnive rsalVideoC onverter.d ll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) regsvr32.exe (PID: 5056 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Program Files (x86 )\Common F iles\AVSMe dia\Active X\AVSAVIFi le3.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) regsvr32.exe (PID: 5956 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Program Files (x86 )\Common F iles\AVSMe dia\Active X\AVSDVDFi le3.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) regsvr32.exe (PID: 640 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Program Files (x86 )\Common F iles\AVSMe dia\Active X\AVSMedia FormatSett ings3.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) regsvr32.exe (PID: 2872 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Program Files (x86 )\Common F iles\AVSMe dia\Active X\AVSVideo Overlay.dl l" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) regsvr32.exe (PID: 5020 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Program Files (x86 )\Common F iles\AVSMe dia\Active X\AVSAudio Overlay.dl l" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) regsvr32.exe (PID: 4852 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Program Files (x86 )\Common F iles\AVSMe dia\Active X\AVSVOBFi le3.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) regsvr32.exe (PID: 4440 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Program Files (x86 )\Common F iles\AVSMe dia\Active X\AVSWMVFi le3.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) regsvr32.exe (PID: 884 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Program Files (x86 )\Common F iles\AVSMe dia\Active X\AVSBluRa yFiles.dll " MD5: 878E47C8656E53AE8A8A21E927C6F7E0) regsvr32.exe (PID: 1444 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Program Files (x86 )\Common F iles\AVSMe dia\Active X\AVSBluRa yFile3.dll " MD5: 878E47C8656E53AE8A8A21E927C6F7E0) regsvr32.exe (PID: 2420 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Program Files (x86 )\Common F iles\AVSMe dia\Active X\AVSBluRa yFinalizer .dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) regsvr32.exe (PID: 1948 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Program Files (x86 )\Common F iles\AVSMe dia\Active X\AVSBluRa yMenu.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) regsvr32.exe (PID: 3908 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Program Files (x86 )\Common F iles\AVSMe dia\Active X\AVSM2TSF ile3.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) regsvr32.exe (PID: 6740 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Program Files (x86 )\Common F iles\AVSMe dia\Active X\AVSVideo Player.dll " MD5: 878E47C8656E53AE8A8A21E927C6F7E0) regsvr32.exe (PID: 3080 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Program Files (x86 )\Common F iles\AVSMe dia\Active X\AVSAudio DxPlayer4. dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) regsvr32.exe (PID: 5976 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Program Files (x86 )\Common F iles\AVSMe dia\Active X\AVSMedia Core3.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) regsvr32.exe (PID: 2940 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Program Files (x86 )\Common F iles\AVSMe dia\Active X\AVSVideo DVDMenu3.d ll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) regsvr32.exe (PID: 5608 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Program Files (x86 )\Common F iles\AVSMe dia\Active X\AVSVideo XmlDVDMenu .dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) regsvr32.exe (PID: 368 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Program Files (x86 )\Common F iles\AVSMe dia\Active X\AVSMPEGF ile3.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) regsvr32.exe (PID: 6448 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Program Files (x86 )\Common F iles\AVSMe dia\Active X\AVSAudio Compress4. dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) regsvr32.exe (PID: 5916 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Program Files (x86 )\Common F iles\AVSMe dia\Active X\AVSAudio Transform4 .dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) regsvr32.exe (PID: 1476 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Program Files (x86 )\Common F iles\AVSMe dia\Active X\AVSAudio TransformE x4.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) regsvr32.exe (PID: 3004 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Program Files (x86 )\Common F iles\AVSMe dia\Active X\AVSPSCor e3.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) regsvr32.exe (PID: 5724 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Program Files (x86 )\Common F iles\AVSMe dia\Active X\AVSFLVFi le3.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) regsvr32.exe (PID: 5944 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Program Files (x86 )\Common F iles\AVSMe dia\Active X\AVSVideo File3.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) regsvr32.exe (PID: 5244 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Program Files (x86 )\Common F iles\AVSMe dia\Active X\AVSQuick TimeFile3. dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
msiexec.exe (PID: 3608 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077) msiexec.exe (PID: 5692 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 99D16A0 121B8E031E BFC9AE17FA E4D01 MD5: 9D09DC1EDA745A5F87553048E57620CF)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
Source: | HTTP Parser: |
Source: | HTTP Parser: |
Source: | HTTP Parser: | ||
Source: | HTTP Parser: |
Source: | Static PE information: |
Source: | File opened: | Jump to behavior |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | Code function: | 2_2_00478B6C | |
Source: | Code function: | 2_2_0046F16C | |
Source: | Code function: | 2_2_004511DC | |
Source: | Code function: | 2_2_00490094 | |
Source: | Code function: | 2_2_00476A70 | |
Source: | Code function: | 2_2_0045F3A4 | |
Source: | Code function: | 2_2_0045F820 | |
Source: | Code function: | 2_2_0045DE20 |
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior | ||
Source: | File opened: | Jump to behavior |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: |