Windows Analysis Report
SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe

Overview

General Information

Sample name: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe
Analysis ID: 1447596
MD5: 3ea7144962bfbe89e0145695fd039655
SHA1: 38e4c4c1f1d104da067f12c1d06734d354ce0ce1
SHA256: b0c1e15f1b660f639ea88e6999bbe4bab7b35e84337b92b1059638e0c7fa947f
Tags: exe
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe ReversingLabs: Detection: 21%
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Virustotal: Detection: 31% Perma Link
Uses 32bit PE files
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00478B6C FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, 1_2_00478B6C
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00490094 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose, 1_2_00490094
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00476A70 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, 1_2_00476A70
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0046F16C FindFirstFileA,FindNextFileA,FindClose, 1_2_0046F16C
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_004511DC FindFirstFileA,GetLastError, 1_2_004511DC
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0045F3A4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_0045F3A4
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0045F820 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_0045F820
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0045DE20 FindFirstFileA,FindNextFileA,FindClose, 1_2_0045DE20
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1665732024.0000000002101000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000002.2922256093.00000000020F0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1664682629.0000000002360000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000002.2922277470.0000000002101000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000003.1668682583.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000003.1669698962.00000000021A6000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000002.2922656836.00000000021A4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cyworld.nate.com/nuclear_mine
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1665732024.0000000002101000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1664682629.0000000002360000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000002.2922277470.0000000002101000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000003.1668682583.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000003.1669698962.00000000021A6000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000002.2922656836.00000000021A4000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000002.2922580890.0000000002195000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ispp.sourceforge.net/
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000002.2922580890.0000000002195000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ispp.sourceforge.net/Des
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp.0.dr String found in binary or memory: http://www.innosetup.com/
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1666089570.0000000002360000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1666996465.0000000002108000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp.0.dr String found in binary or memory: http://www.remobjects.com/?ps
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1666089570.0000000002360000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1666996465.0000000002108000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000002.2922051073.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp.0.dr String found in binary or memory: http://www.remobjects.com/?psU
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00423B2C NtdllDefWindowProc_A, 1_2_00423B2C
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_004722D4 NtdllDefWindowProc_A, 1_2_004722D4
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00412580 NtdllDefWindowProc_A, 1_2_00412580
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0042ED38 NtdllDefWindowProc_A, 1_2_0042ED38
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_004551F4 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A, 1_2_004551F4
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0042E6CC: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError, 1_2_0042E6CC
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Code function: 0_2_004092A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_004092A0
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00453AF8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 1_2_00453AF8
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Code function: 0_2_004082E8 0_2_004082E8
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00462994 1_2_00462994
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_004797C1 1_2_004797C1
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00485FE0 1_2_00485FE0
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_004800E8 1_2_004800E8
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0044416C 1_2_0044416C
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_004305D0 1_2_004305D0
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00444864 1_2_00444864
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_004588EC 1_2_004588EC
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0046498C 1_2_0046498C
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00434A2C 1_2_00434A2C
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00444C70 1_2_00444C70
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0046AC90 1_2_0046AC90
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0047F238 1_2_0047F238
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0043D44C 1_2_0043D44C
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0045B694 1_2_0045B694
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0042FB74 1_2_0042FB74
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00443BC4 1_2_00443BC4
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00433D28 1_2_00433D28
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: String function: 00405964 appears 100 times
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: String function: 00406A2C appears 38 times
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: String function: 00403400 appears 59 times
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: String function: 004454D0 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: String function: 00407894 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: String function: 00433C40 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: String function: 00455970 appears 95 times
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: String function: 00451AC0 appears 72 times
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: String function: 00403494 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: String function: 00455B70 appears 65 times
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: String function: 004457A0 appears 59 times
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: String function: 00403684 appears 204 times
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: String function: 00408BAC appears 44 times
PE file contains executable resources (Code or Archives)
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp.0.dr Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1666089570.0000000002360000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe, 00000000.00000003.1666996465.0000000002108000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe
Uses 32bit PE files
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: _RegDLL.tmp.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal48.winEXE@3/4@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Code function: 0_2_004092A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_004092A0
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00453AF8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 1_2_00453AF8
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00454320 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA, 1_2_00454320
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Code function: 0_2_00409A04 FindResourceA,SizeofResource,LoadResource,LockResource, 0_2_00409A04
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe File created: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe ReversingLabs: Detection: 21%
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Virustotal: Detection: 31%
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe "C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Process created: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp "C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp" /SL5="$1043A,2318969,53248,C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Process created: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp "C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp" /SL5="$1043A,2318969,53248,C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Window found: window name: TMainForm Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Static file information: File size 2596914 > 1048576
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0044AD34 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_0044AD34
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Code function: 0_2_00406518 push 00406555h; ret 0_2_0040654D
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Code function: 0_2_004040B5 push eax; ret 0_2_004040F1
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Code function: 0_2_00404185 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Code function: 0_2_00404206 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Code function: 0_2_0040C218 push eax; ret 0_2_0040C219
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Code function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Code function: 0_2_00404283 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Code function: 0_2_00408D90 push 00408DC3h; ret 0_2_00408DBB
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Code function: 0_2_00407FE0 push ecx; mov dword ptr [esp], eax 0_2_00407FE5
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_004098EC push 00409929h; ret 1_2_00409921
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_004062CC push ecx; mov dword ptr [esp], eax 1_2_004062CD
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_004305D0 push ecx; mov dword ptr [esp], eax 1_2_004305D5
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00410678 push ecx; mov dword ptr [esp], edx 1_2_0041067D
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_004128D0 push 00412933h; ret 1_2_0041292B
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0047C88C push 0047C96Ah; ret 1_2_0047C962
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00450A78 push 00450AABh; ret 1_2_00450AA3
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00442B3C push ecx; mov dword ptr [esp], ecx 1_2_00442B40
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0040CFD0 push ecx; mov dword ptr [esp], edx 1_2_0040CFD2
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_004573DC push 00457420h; ret 1_2_00457418
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0045B38C push ecx; mov dword ptr [esp], eax 1_2_0045B391
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0040546D push eax; ret 1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0040F530 push ecx; mov dword ptr [esp], edx 1_2_0040F532
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0040553D push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_004715E8 push ecx; mov dword ptr [esp], edx 1_2_004715E9
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_004055BE push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0040563B push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00419BD0 push ecx; mov dword ptr [esp], ecx 1_2_00419BD5
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00455C0C push 00455C44h; ret 1_2_00455C3C
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0047DEE0 push ecx; mov dword ptr [esp], ecx 1_2_0047DEE5
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00409FE7 push ds; ret 1_2_00409FE8
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe File created: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp File created: C:\Users\user\AppData\Local\Temp\is-V44NQ.tmp\_isetup\_RegDLL.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp File created: C:\Users\user\AppData\Local\Temp\is-V44NQ.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp File created: C:\Users\user\AppData\Local\Temp\is-V44NQ.tmp\_isetup\_setup64.tmp Jump to dropped file
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00422804 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 1_2_00422804
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00423BB4 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 1_2_00423BB4
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00423BB4 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 1_2_00423BB4
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0042413C IsIconic,SetActiveWindow, 1_2_0042413C
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00424184 IsIconic,SetActiveWindow,SetFocus, 1_2_00424184
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0047C25C IsIconic,GetWindowLongA,ShowWindow,ShowWindow, 1_2_0047C25C
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0041832C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 1_2_0041832C
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00417540 IsIconic,GetCapture, 1_2_00417540
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00417C76 IsIconic,SetWindowPos, 1_2_00417C76
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00417C78 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 1_2_00417C78
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0044AD34 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_0044AD34
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-V44NQ.tmp\_isetup\_RegDLL.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-V44NQ.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-V44NQ.tmp\_isetup\_setup64.tmp Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Evasive API call chain: GetSystemTime,DecisionNodes
Found evasive API chain checking for process token information
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00478B6C FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, 1_2_00478B6C
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00490094 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose, 1_2_00490094
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00476A70 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose, 1_2_00476A70
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0046F16C FindFirstFileA,FindNextFileA,FindClose, 1_2_0046F16C
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_004511DC FindFirstFileA,GetLastError, 1_2_004511DC
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0045F3A4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_0045F3A4
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0045F820 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_0045F820
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0045DE20 FindFirstFileA,FindNextFileA,FindClose, 1_2_0045DE20
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Code function: 0_2_00409948 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery, 0_2_00409948
Source: SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp, 00000001.00000002.2922275657.00000000005CF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0044AD34 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_0044AD34
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00471D70 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle, 1_2_00471D70
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_0045A0E8 GetVersion,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,AllocateAndInitializeSid,GetLastError,LocalFree, 1_2_0045A0E8
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Code function: GetLocaleInfoA, 0_2_0040515C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Code function: GetLocaleInfoA, 0_2_004051A8
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: GetLocaleInfoA, 1_2_00408508
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: GetLocaleInfoA, 1_2_00408554
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_004566B8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle, 1_2_004566B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Code function: 0_2_004026C4 GetSystemTime, 0_2_004026C4
Source: C:\Users\user\AppData\Local\Temp\is-K0O4V.tmp\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp Code function: 1_2_00453AB0 GetUserNameA, 1_2_00453AB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe Code function: 0_2_00405C44 GetVersionExA, 0_2_00405C44
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1447596 Sample: SecuriteInfo.com.BackDoor.C... Startdate: 26/05/2024 Architecture: WINDOWS Score: 48 20 Multi AV Scanner detection for submitted file 2->20 6 SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.exe 2 2->6         started        process3 file4 12 SecuriteInfo.com.B...326.14545.25032.tmp, PE32 6->12 dropped 9 SecuriteInfo.com.BackDoor.CmjSpy.326.14545.25032.tmp 10 6->9         started        process5 file6 14 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 9->14 dropped 16 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 9->16 dropped 18 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 9->18 dropped
No contacted IP infos