Windows Analysis Report
SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.Evo-gen.30060.94.exe
Analysis ID:	1470314
MD5:	79deee81f5bbea4e423490a1b122c90c
SHA1:	49f5b097f733601d67583919c9b4563fab26599d
SHA256:	166ec6d652868c9e7760976dc2458655ca15c6da2b2dcc767820b079da76fe81
Tags:	exe
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Contains functionality to infect the boot sector

Contains functionality to register a low level keyboard hook

Machine Learning detection for dropped file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Abnormal high CPU Usage

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\ProgramData\loantmp\1.0.1.205\exten.dll	Avira: detection malicious, Label: ADWARE/Qjwmonkey.wsjlh
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Avira: detection malicious, Label: ADWARE/Bang5Mai.smnnh

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe

ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.8% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\loantmp\1.0.1.205\exten.dll	Joe Sandbox ML: detected
Source: C:\ProgramData\loantmp\1.0.1.205\loanNPHelper.dll	Joe Sandbox ML: detected

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

File created: C:\ProgramData\loantmp\1.0.1.205\resource\License.txt

Jump to behavior

Source:	Binary string: D:\develop\LoanCalc\project\bin\Release\LoanCal.pdb source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1265655392.0000000002E2D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1266221491.0000000003630000.00000004.00001000.00020000.00000000.sdmp, LoanCal.exe.0.dr
Source:	Binary string: D:\develop\LoanCalc\project\bin\Release\LoanCal.pdbp9V` source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1265655392.0000000002E2D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1266221491.0000000003630000.00000004.00001000.00020000.00000000.sdmp, LoanCal.exe.0.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_0040372C GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_0040372C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_00403211 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00403211
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00817D60 FindFirstFileW,FindClose,FindClose,	5_2_00817D60
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_007FAEF0 FindFirstFileW,_memmove,FindNextFileW,FindClose,	5_2_007FAEF0
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00817AE0 FindFirstFileW,FindNextFileW,FindClose,	5_2_00817AE0
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_007FBCD0 _memset,OleInitialize,SHBrowseForFolderW,OleUninitialize,SHGetPathFromIDListW,FindFirstFileW,FindClose,MessageBoxW,OleUninitialize,OleUninitialize,	5_2_007FBCD0
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00817F20 FindFirstFileW,FindClose,FindClose,	5_2_00817F20

Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1265655392.0000000002C19000.00000004.00000020.00020000.00000000.sdmp, exten.dll.0.dr	String found in binary or memory: http:///client.do/?method=configex&extpackage=%dLocal
Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1265655392.0000000002CEC000.00000004.00000020.00020000.00000000.sdmp, LCAssist.exe.0.dr	String found in binary or memory: http://activewy2/client.do/?method=testtest1__ldluLdLu%pEe
Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1262153010.00000000027F3000.00000004.00000020.00020000.00000000.sdmp, fileConfig.xml.0.dr	String found in binary or memory: http://www.1gongju.com/loan/
Source: LCInstall.exe, 00000005.00000002.3733199929.0000000002530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.1gongju.com/loan/ddr2
Source: LCInstall.exe, 00000005.00000002.3733199929.0000000002530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.1gongju.com/loan/in
Source: LCInstall.exe, 00000005.00000002.3733060299.0000000002420000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jyrili.com/client.do/?method=configex&extpackage=103

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Code function: 0_2_00408DA3 SetWindowsHookExW 00000002,Function_00008D75,00000000,00000000

0_2_00408DA3

Abnormal high CPU Usage

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe

Process Stats: CPU usage > 49%

Contains functionality to communicate with device drivers

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe

Code function: 5_2_0081BD50: CreateFileW,DeviceIoControl,FindCloseChangeNotification,

5_2_0081BD50

Contains functionality to delete services

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe

Code function: 5_2_007FB2C0 OpenSCManagerW,CloseServiceHandle,CloseServiceHandle,DeleteService,CloseServiceHandle,

5_2_007FB2C0

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_00405C18	0_2_00405C18
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_0040B0D0	0_2_0040B0D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_0040B0D4	0_2_0040B0D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_0040A8F0	0_2_0040A8F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_00419943	0_2_00419943
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_0040A260	0_2_0040A260
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_0040D470	0_2_0040D470
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_0040AC10	0_2_0040AC10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_00409C10	0_2_00409C10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_0040ED00	0_2_0040ED00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_00409DC0	0_2_00409DC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_004195D1	0_2_004195D1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_004196AB	0_2_004196AB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_00418F10	0_2_00418F10
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_0080A6F0	5_2_0080A6F0
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_0080CBF0	5_2_0080CBF0
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00801C40	5_2_00801C40
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00840073	5_2_00840073
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_007F63A0	5_2_007F63A0
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_008064C0	5_2_008064C0
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_0084045B	5_2_0084045B
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_008006B0	5_2_008006B0
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00844613	5_2_00844613
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_007EE740	5_2_007EE740
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00812870	5_2_00812870
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_007EE9F0	5_2_007EE9F0
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00806960	5_2_00806960
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00804A70	5_2_00804A70
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00842D46	5_2_00842D46
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_0083AEA8	5_2_0083AEA8
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_0082CE2A	5_2_0082CE2A
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_0083D026	5_2_0083D026
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00843297	5_2_00843297
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_007FB330	5_2_007FB330
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_0084B350	5_2_0084B350
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_0083F46E	5_2_0083F46E
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_007F96B0	5_2_007F96B0
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_007E56A0	5_2_007E56A0
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_008437E8	5_2_008437E8
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_0083F903	5_2_0083F903
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_0082BA00	5_2_0082BA00
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_0083FCA1	5_2_0083FCA1
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_0083BF03	5_2_0083BF03
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_007FFFD0	5_2_007FFFD0

Found potential string decryption / allocating functions

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: String function: 0082E680 appears 60 times
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: String function: 0082A6BC appears 45 times
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: String function: 008296B7 appears 61 times
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: String function: 00832E10 appears 55 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: String function: 004029DB appears 44 times

PE file contains executable resources (Code or Archives)

Source: LCInstall.exe.0.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal96.spyw.evad.winEXE@3/43@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Code function: 0_2_004095EE wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

0_2_004095EE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Code function: 0_2_0040122A GetDiskFreeSpaceExW,SendMessageW,

0_2_0040122A

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Code function: 0_2_004092A9 GetDlgItem,GetDlgItem,SendMessageW,GetDlgItem,GetWindowLongW,GetDlgItem,SetWindowLongW,GetSystemMenu,EnableMenuItem,GetDlgItem,SetFocus,SetTimer,CoCreateInstance,GetDlgItem,IsWindow,GetDlgItem,EnableWindow,GetDlgItem,ShowWindow,

0_2_004092A9

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Code function: 0_2_004020D2 GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,

0_2_004020D2

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe

Mutant created: NULL

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Command line argument: 7142	5_2_00801C40
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Command line argument: 6.0.1.1	5_2_00801C40
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Command line argument: www.jyrili.com	5_2_00801C40
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Command line argument: source.ini	5_2_00801C40
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Command line argument: 6.0.1.1	5_2_00801C40
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Command line argument: 7142	5_2_00801C40
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Command line argument: loancal	5_2_00801C40

Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer,Name,ProcessorId FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Process created: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe "C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe" /I
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Process created: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe "C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe" /I	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Static file information: File size 1342212 > 1048576

Source:	Binary string: D:\develop\LoanCalc\project\bin\Release\LoanCal.pdb source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1265655392.0000000002E2D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1266221491.0000000003630000.00000004.00001000.00020000.00000000.sdmp, LoanCal.exe.0.dr
Source:	Binary string: D:\develop\LoanCalc\project\bin\Release\LoanCal.pdbp9V` source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1265655392.0000000002E2D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1266221491.0000000003630000.00000004.00001000.00020000.00000000.sdmp, LoanCal.exe.0.dr

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Code function: 0_2_00402678 LoadLibraryA,GetProcAddress,GetNativeSystemInfo,

0_2_00402678

PE file contains an invalid checksum

Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Static PE information: real checksum: 0x37191 should be: 0x155431

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_00419290 push eax; ret	0_2_004192BE
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_008300F9 push ecx; ret	5_2_0083010C
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00832E55 push ecx; ret	5_2_00832E68

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: CreateFileA,DeviceIoControl,_malloc,DeviceIoControl,CloseHandle,_free, \\.\PhysicalDrive%d		5_2_00823A50
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: CreateFileA,_memset,DeviceIoControl,_strcpy_s,_strcpy_s,_memset,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d		5_2_00823F40

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\LCAssist.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\loanNPHelper.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\exten.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\LoanCal.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\fixfunction.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\loancalservice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\LCUninst.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\LCAssist.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\loanNPHelper.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\exten.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\LoanCal.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\fixfunction.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\loancalservice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\LCUninst.exe	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

File created: C:\ProgramData\loantmp\1.0.1.205\resource\License.txt

Jump to behavior

Boot Survival

Contains functionality to infect the boot sector

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: CreateFileA,DeviceIoControl,_malloc,DeviceIoControl,CloseHandle,_free, \\.\PhysicalDrive%d		5_2_00823A50
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: CreateFileA,_memset,DeviceIoControl,_strcpy_s,_strcpy_s,_memset,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d		5_2_00823F40

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_DiskDrive WHERE (SerialNumber IS NOT NULL) AND (MediaType LIKE 'Fixed hard disk%')

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT PNPDeviceID FROM Win32_NetworkAdapter WHERE (MACAddress IS NOT NULL) AND (NOT (PNPDeviceID LIKE 'ROOT%'))

Contains functionality to query network adapater information

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe

Code function: _memset,GetAdaptersInfo,

5_2_00824760

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Window / User API: threadDelayed 7386			Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Window / User API: threadDelayed 2539			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Dropped PE file which has not been started: C:\ProgramData\loantmp\1.0.1.205\LCAssist.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Dropped PE file which has not been started: C:\ProgramData\loantmp\1.0.1.205\loanNPHelper.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Dropped PE file which has not been started: C:\ProgramData\loantmp\1.0.1.205\exten.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Dropped PE file which has not been started: C:\ProgramData\loantmp\1.0.1.205\LoanCal.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Dropped PE file which has not been started: C:\ProgramData\loantmp\1.0.1.205\loancalservice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Dropped PE file which has not been started: C:\ProgramData\loantmp\1.0.1.205\fixfunction.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Dropped PE file which has not been started: C:\ProgramData\loantmp\1.0.1.205\LCUninst.exe	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe TID: 7188	Thread sleep time: -4062300s >= -30000s			Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe TID: 7188	Thread sleep time: -1396450s >= -30000s			Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber,Product FROM Win32_BaseBoard WHERE (SerialNumber IS NOT NULL)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer,Name,ProcessorId FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_0040372C GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_0040372C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_00403211 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00403211
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00817D60 FindFirstFileW,FindClose,FindClose,	5_2_00817D60
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_007FAEF0 FindFirstFileW,_memmove,FindNextFileW,FindClose,	5_2_007FAEF0
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00817AE0 FindFirstFileW,FindNextFileW,FindClose,	5_2_00817AE0
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_007FBCD0 _memset,OleInitialize,SHBrowseForFolderW,OleUninitialize,SHGetPathFromIDListW,FindFirstFileW,FindClose,MessageBoxW,OleUninitialize,OleUninitialize,	5_2_007FBCD0
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00817F20 FindFirstFileW,FindClose,FindClose,	5_2_00817F20

Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Binary or memory string: vmCIAa
Source: LCInstall.exe, 00000005.00000002.3728844678.00000000008F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	API call chain: ExitProcess graph end node
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe

Code function: 5_2_0083300E _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_0083300E

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Code function: 0_2_00402678 LoadLibraryA,GetProcAddress,GetNativeSystemInfo,

0_2_00402678

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe

Code function: 5_2_00829200 GetProcessHeap,HeapAlloc,InterlockedPopEntrySList,InterlockedPopEntrySList,VirtualAlloc,InterlockedPopEntrySList,VirtualFree,InterlockedPushEntrySList,

5_2_00829200

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_0083300E _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_0083300E
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_0082B4A1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0082B4A1
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00835869 SetUnhandledExceptionFilter,	5_2_00835869

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Process created: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe "C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe" /I

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Code function: 0_2_00402757 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00402757

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,	0_2_00402490
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	5_2_0083E57D
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	5_2_0083E86B
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	5_2_00832B90
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_0083ED52
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	5_2_0083EEEE
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	5_2_0083EE47
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	5_2_00840E7F
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	5_2_0083EF49
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	5_2_00840F59
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	5_2_0083F1DA
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	5_2_0083F11A
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	5_2_0083F241
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	5_2_0083F27D
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	5_2_0083D921
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	5_2_0082FB27
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: GetLocaleInfoA,	5_2_00831E64

Queries the volume information (name, serial number etc) of a device

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\btn_close.png VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\title.png VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\bg_install.png VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\button_setup.png VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\box_check.png VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\box_check.png VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\DirectUI\srollBk.bmp VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\DirectUI\scrollBar.bmp VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\DirectUI\scrollArrowUp.bmp VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\DirectUI\scrollArrowDown.bmp VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\DirectUI\srollBk.bmp VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\DirectUI\scrollBar.bmp VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\DirectUI\scrollArrowUp.bmp VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\DirectUI\scrollArrowDown.bmp VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\return.png VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\browser.png VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\progress_bar.png VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\now_start.png VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Code function: 0_2_00403A96 lstrlenW,GetSystemTimeAsFileTime,GetFileAttributesW,memcpy,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_00403A96

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Code function: 0_2_00405C18 ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z,GetVersionExW,GetCommandLineW,lstrlenW,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCommandLineW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCurrentProcess,SetProcessWorkingSetSize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,lstrlenW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,

0_2_00405C18

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\ProgramData\loantmp\1.0.1.205\exten.dll	Avira: detection malicious, Label: ADWARE/Qjwmonkey.wsjlh
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Avira: detection malicious, Label: ADWARE/Bang5Mai.smnnh

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe

ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.8% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\loantmp\1.0.1.205\exten.dll	Joe Sandbox ML: detected
Source: C:\ProgramData\loantmp\1.0.1.205\loanNPHelper.dll	Joe Sandbox ML: detected

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

File created: C:\ProgramData\loantmp\1.0.1.205\resource\License.txt

Jump to behavior

Source:	Binary string: D:\develop\LoanCalc\project\bin\Release\LoanCal.pdb source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1265655392.0000000002E2D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1266221491.0000000003630000.00000004.00001000.00020000.00000000.sdmp, LoanCal.exe.0.dr
Source:	Binary string: D:\develop\LoanCalc\project\bin\Release\LoanCal.pdbp9V` source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1265655392.0000000002E2D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1266221491.0000000003630000.00000004.00001000.00020000.00000000.sdmp, LoanCal.exe.0.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_0040372C GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_0040372C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_00403211 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00403211
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00817D60 FindFirstFileW,FindClose,FindClose,	5_2_00817D60
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_007FAEF0 FindFirstFileW,_memmove,FindNextFileW,FindClose,	5_2_007FAEF0
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00817AE0 FindFirstFileW,FindNextFileW,FindClose,	5_2_00817AE0
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_007FBCD0 _memset,OleInitialize,SHBrowseForFolderW,OleUninitialize,SHGetPathFromIDListW,FindFirstFileW,FindClose,MessageBoxW,OleUninitialize,OleUninitialize,	5_2_007FBCD0
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00817F20 FindFirstFileW,FindClose,FindClose,	5_2_00817F20

Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1265655392.0000000002C19000.00000004.00000020.00020000.00000000.sdmp, exten.dll.0.dr	String found in binary or memory: http:///client.do/?method=configex&extpackage=%dLocal
Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1265655392.0000000002CEC000.00000004.00000020.00020000.00000000.sdmp, LCAssist.exe.0.dr	String found in binary or memory: http://activewy2/client.do/?method=testtest1__ldluLdLu%pEe
Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1262153010.00000000027F3000.00000004.00000020.00020000.00000000.sdmp, fileConfig.xml.0.dr	String found in binary or memory: http://www.1gongju.com/loan/
Source: LCInstall.exe, 00000005.00000002.3733199929.0000000002530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.1gongju.com/loan/ddr2
Source: LCInstall.exe, 00000005.00000002.3733199929.0000000002530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.1gongju.com/loan/in
Source: LCInstall.exe, 00000005.00000002.3733060299.0000000002420000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jyrili.com/client.do/?method=configex&extpackage=103

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Code function: 0_2_00408DA3 SetWindowsHookExW 00000002,Function_00008D75,00000000,00000000

0_2_00408DA3

Abnormal high CPU Usage

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe

Process Stats: CPU usage > 49%

Contains functionality to communicate with device drivers

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe

Code function: 5_2_0081BD50: CreateFileW,DeviceIoControl,FindCloseChangeNotification,

5_2_0081BD50

Contains functionality to delete services

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe

Code function: 5_2_007FB2C0 OpenSCManagerW,CloseServiceHandle,CloseServiceHandle,DeleteService,CloseServiceHandle,

5_2_007FB2C0

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_00405C18	0_2_00405C18
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_0040B0D0	0_2_0040B0D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_0040B0D4	0_2_0040B0D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_0040A8F0	0_2_0040A8F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_00419943	0_2_00419943
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_0040A260	0_2_0040A260
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_0040D470	0_2_0040D470
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_0040AC10	0_2_0040AC10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_00409C10	0_2_00409C10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_0040ED00	0_2_0040ED00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_00409DC0	0_2_00409DC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_004195D1	0_2_004195D1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_004196AB	0_2_004196AB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_00418F10	0_2_00418F10
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_0080A6F0	5_2_0080A6F0
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_0080CBF0	5_2_0080CBF0
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00801C40	5_2_00801C40
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00840073	5_2_00840073
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_007F63A0	5_2_007F63A0
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_008064C0	5_2_008064C0
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_0084045B	5_2_0084045B
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_008006B0	5_2_008006B0
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00844613	5_2_00844613
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_007EE740	5_2_007EE740
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00812870	5_2_00812870
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_007EE9F0	5_2_007EE9F0
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00806960	5_2_00806960
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00804A70	5_2_00804A70
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00842D46	5_2_00842D46
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_0083AEA8	5_2_0083AEA8
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_0082CE2A	5_2_0082CE2A
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_0083D026	5_2_0083D026
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00843297	5_2_00843297
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_007FB330	5_2_007FB330
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_0084B350	5_2_0084B350
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_0083F46E	5_2_0083F46E
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_007F96B0	5_2_007F96B0
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_007E56A0	5_2_007E56A0
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_008437E8	5_2_008437E8
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_0083F903	5_2_0083F903
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_0082BA00	5_2_0082BA00
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_0083FCA1	5_2_0083FCA1
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_0083BF03	5_2_0083BF03
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_007FFFD0	5_2_007FFFD0

Found potential string decryption / allocating functions

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: String function: 0082E680 appears 60 times
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: String function: 0082A6BC appears 45 times
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: String function: 008296B7 appears 61 times
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: String function: 00832E10 appears 55 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: String function: 004029DB appears 44 times

PE file contains executable resources (Code or Archives)

Source: LCInstall.exe.0.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal96.spyw.evad.winEXE@3/43@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Code function: 0_2_004095EE wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

0_2_004095EE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Code function: 0_2_0040122A GetDiskFreeSpaceExW,SendMessageW,

0_2_0040122A

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

0_2_004092A9

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

0_2_004020D2

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe

Mutant created: NULL

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Command line argument: 7142	5_2_00801C40
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Command line argument: 6.0.1.1	5_2_00801C40
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Command line argument: www.jyrili.com	5_2_00801C40
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Command line argument: source.ini	5_2_00801C40
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Command line argument: 6.0.1.1	5_2_00801C40
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Command line argument: 7142	5_2_00801C40
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Command line argument: loancal	5_2_00801C40

Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer,Name,ProcessorId FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Process created: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe "C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe" /I
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Process created: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe "C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe" /I	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Static file information: File size 1342212 > 1048576

Source:	Binary string: D:\develop\LoanCalc\project\bin\Release\LoanCal.pdb source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1265655392.0000000002E2D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1266221491.0000000003630000.00000004.00001000.00020000.00000000.sdmp, LoanCal.exe.0.dr
Source:	Binary string: D:\develop\LoanCalc\project\bin\Release\LoanCal.pdbp9V` source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1265655392.0000000002E2D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1266221491.0000000003630000.00000004.00001000.00020000.00000000.sdmp, LoanCal.exe.0.dr

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Code function: 0_2_00402678 LoadLibraryA,GetProcAddress,GetNativeSystemInfo,

0_2_00402678

PE file contains an invalid checksum

Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Static PE information: real checksum: 0x37191 should be: 0x155431

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_00419290 push eax; ret	0_2_004192BE
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_008300F9 push ecx; ret	5_2_0083010C
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00832E55 push ecx; ret	5_2_00832E68

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: CreateFileA,DeviceIoControl,_malloc,DeviceIoControl,CloseHandle,_free, \\.\PhysicalDrive%d		5_2_00823A50
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: CreateFileA,_memset,DeviceIoControl,_strcpy_s,_strcpy_s,_memset,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d		5_2_00823F40

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\LCAssist.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\loanNPHelper.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\exten.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\LoanCal.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\fixfunction.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\loancalservice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\LCUninst.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\LCAssist.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\loanNPHelper.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\exten.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\LoanCal.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\fixfunction.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\loancalservice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	File created: C:\ProgramData\loantmp\1.0.1.205\LCUninst.exe	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

File created: C:\ProgramData\loantmp\1.0.1.205\resource\License.txt

Jump to behavior

Boot Survival

Contains functionality to infect the boot sector

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: CreateFileA,DeviceIoControl,_malloc,DeviceIoControl,CloseHandle,_free, \\.\PhysicalDrive%d		5_2_00823A50
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: CreateFileA,_memset,DeviceIoControl,_strcpy_s,_strcpy_s,_memset,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive%d		5_2_00823F40

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_DiskDrive WHERE (SerialNumber IS NOT NULL) AND (MediaType LIKE 'Fixed hard disk%')

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT PNPDeviceID FROM Win32_NetworkAdapter WHERE (MACAddress IS NOT NULL) AND (NOT (PNPDeviceID LIKE 'ROOT%'))

Contains functionality to query network adapater information

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe

Code function: _memset,GetAdaptersInfo,

5_2_00824760

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Window / User API: threadDelayed 7386			Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Window / User API: threadDelayed 2539			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Dropped PE file which has not been started: C:\ProgramData\loantmp\1.0.1.205\LCAssist.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Dropped PE file which has not been started: C:\ProgramData\loantmp\1.0.1.205\loanNPHelper.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Dropped PE file which has not been started: C:\ProgramData\loantmp\1.0.1.205\exten.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Dropped PE file which has not been started: C:\ProgramData\loantmp\1.0.1.205\LoanCal.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Dropped PE file which has not been started: C:\ProgramData\loantmp\1.0.1.205\loancalservice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Dropped PE file which has not been started: C:\ProgramData\loantmp\1.0.1.205\fixfunction.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Dropped PE file which has not been started: C:\ProgramData\loantmp\1.0.1.205\LCUninst.exe	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe TID: 7188	Thread sleep time: -4062300s >= -30000s			Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe TID: 7188	Thread sleep time: -1396450s >= -30000s			Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber,Product FROM Win32_BaseBoard WHERE (SerialNumber IS NOT NULL)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer,Name,ProcessorId FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_0040372C GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_0040372C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: 0_2_00403211 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00403211
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00817D60 FindFirstFileW,FindClose,FindClose,	5_2_00817D60
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_007FAEF0 FindFirstFileW,_memmove,FindNextFileW,FindClose,	5_2_007FAEF0
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00817AE0 FindFirstFileW,FindNextFileW,FindClose,	5_2_00817AE0
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_007FBCD0 _memset,OleInitialize,SHBrowseForFolderW,OleUninitialize,SHGetPathFromIDListW,FindFirstFileW,FindClose,MessageBoxW,OleUninitialize,OleUninitialize,	5_2_007FBCD0
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00817F20 FindFirstFileW,FindClose,FindClose,	5_2_00817F20

Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Binary or memory string: vmCIAa
Source: LCInstall.exe, 00000005.00000002.3728844678.00000000008F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	API call chain: ExitProcess graph end node
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe

Code function: 5_2_0083300E _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_0083300E

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Code function: 0_2_00402678 LoadLibraryA,GetProcAddress,GetNativeSystemInfo,

0_2_00402678

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe

Code function: 5_2_00829200 GetProcessHeap,HeapAlloc,InterlockedPopEntrySList,InterlockedPopEntrySList,VirtualAlloc,InterlockedPopEntrySList,VirtualFree,InterlockedPushEntrySList,

5_2_00829200

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_0083300E _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_0083300E
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_0082B4A1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0082B4A1
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: 5_2_00835869 SetUnhandledExceptionFilter,	5_2_00835869

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Process created: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe "C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe" /I

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Code function: 0_2_00402757 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00402757

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,	0_2_00402490
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	5_2_0083E57D
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	5_2_0083E86B
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	5_2_00832B90
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_0083ED52
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	5_2_0083EEEE
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	5_2_0083EE47
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	5_2_00840E7F
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	5_2_0083EF49
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	5_2_00840F59
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	5_2_0083F1DA
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	5_2_0083F11A
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	5_2_0083F241
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	5_2_0083F27D
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	5_2_0083D921
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	5_2_0082FB27
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Code function: GetLocaleInfoA,	5_2_00831E64

Queries the volume information (name, serial number etc) of a device

Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\btn_close.png VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\title.png VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\bg_install.png VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\button_setup.png VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\box_check.png VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\box_check.png VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\DirectUI\srollBk.bmp VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\DirectUI\scrollBar.bmp VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\DirectUI\scrollArrowUp.bmp VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\DirectUI\scrollArrowDown.bmp VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\DirectUI\srollBk.bmp VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\DirectUI\scrollBar.bmp VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\DirectUI\scrollArrowUp.bmp VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\DirectUI\scrollArrowDown.bmp VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\return.png VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\browser.png VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\progress_bar.png VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\ProgramData\loantmp\1.0.1.205\resource\now_start.png VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Code function: 0_2_00403A96 lstrlenW,GetSystemTimeAsFileTime,GetFileAttributesW,memcpy,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_00403A96

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

0_2_00405C18

ID:	1470314
Product:	CloudBasic
Start time:	20:20:13
Start date:	09.07.2024
Sample:	SecuriteInfo.com.Win32.Evo-gen.30060.94.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	79deee81f5bbea4e423490a1b122c90c
SHA1:	49f5b097f733601d67583919c9b4563fab26599d
SHA256:	166ec6d652868c9e7760976dc2458655ca15c6da2b2dcc767820b079da76fe81
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\loantmp\1.0.1.205\LCAssist.exe	PE32 executable (GUI) Intel 80386, for MS Windows	F02F9C3E8351477A88C32D004B1F55A5	453B277123BF29C762FA67EA41F6819A3150AD4C	036A8872AA31932049024F1596EADDBAF56ABE3511CE0FC77EEB5605B08E2883
C:\ProgramData\loantmp\1.0.1.205\LCInstall.exe	PE32 executable (GUI) Intel 80386, for MS Windows	A3AA57D564551D8FBF5C39A0A86328B1	70C8DB4342E698658817F53A1BC5FDA613330635	5B54D59B91588F7B3536042C878C69EF1FB0C7288ADDB4AA403B65231C500B65
C:\ProgramData\loantmp\1.0.1.205\LCUninst.exe	PE32 executable (GUI) Intel 80386, for MS Windows	2E020F9ACF5D907AE96203E1858EFB60	4CF8B8BF09CA8348FA393E233DF867600565FE16	05F14AF1DAD299967A0DFD7373B383DAFE10DE39AD6812EEA4FCB20423512BF6
C:\ProgramData\loantmp\1.0.1.205\LoanCal.exe	PE32 executable (GUI) Intel 80386, for MS Windows	1FFF9CD2669D59F58E45A19D2584EB06	764969B929DAA0209B1EF808735F6E5B4E8B4E68	9E02318E7FF7F4DE77FE2CE233E6A725C2F3733687F6E08EFF533D9D4760658C
C:\ProgramData\loantmp\1.0.1.205\exten.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	5CF69EB3CB588DD26C2CB2AE95641550	CCF00CD377988B695509A8EF978C4008C0F958A1	B2D28E68932ACC7FF2FE1AABA0C15E4B9042E593A041ACA6886901A05B08B923
C:\ProgramData\loantmp\1.0.1.205\fixfunction.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	D88FD208F3E97327D139508CE5A848BA	524A9C759EF97E51558B3E7540E1F6EC734F8325	39CAFAAE76337C2137E9C57D2F0677E3F763D9A3984FDEC462E43C799D7CE0BA
C:\ProgramData\loantmp\1.0.1.205\loanNPHelper.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	7B4A58A7345F779D174523F37456D45C	4EAE62516A616B6BB51AADA7BD2296BC80AAEC2D	2522E683FF5755BE1FB3D9591C93F37B01EE6A1512CD20CE710692530809B57F
C:\ProgramData\loantmp\1.0.1.205\loancalservice.exe	PE32 executable (console) Intel 80386, for MS Windows	3E9D9259935D13B0646316EA20B51738	1CAADE2E3F2FC6FBB47DC0B428CD3CAA31CF7104	C23380D5BAC73B9C07AC897A1332AE02196FEFE2887AA224C99D4B86B2DB801B
C:\ProgramData\loantmp\1.0.1.205\resource\DirectUI\scrollArrowDown.bmp	PC bitmap, Windows 3.x format, 20 x 9 x 24, image size 540, resolution 3780 x 3780 px/m, cbSize 594, bits offset 54	720FE0BCBA2B7302BF1C550E8DBCFE00	28DB135AC7014E27275FD9DF3A441BF9DB32D883	8FC84893E9E3A720AD1DC7B2AF2B57E34B8B43FF7EE45244190BA2D80252356F
C:\ProgramData\loantmp\1.0.1.205\resource\DirectUI\scrollArrowUp.bmp	PC bitmap, Windows 3.x format, 20 x 9 x 24, image size 540, resolution 3780 x 3780 px/m, cbSize 594, bits offset 54	483723CAA2A84ACB0FCA9A52AC8EF3C8	439B7B3C948E1D445043C5AB2F7F17F7B4DEA170	26343F0623FBBE56917E17A9B505E2A12CB4FC92F5853C8EB9023B980B4AC810
C:\ProgramData\loantmp\1.0.1.205\resource\DirectUI\scrollBar.bmp	PC bitmap, Windows 3.x format, 16 x 24 x 24, image size 1152, resolution 3780 x 3780 px/m, cbSize 1206, bits offset 54	5E463489CDD0353109461AB3FD73B60F	7AF2399A4A5DCC303CC933860FA04BE141A966E5	00F21E067330428F8A1228798C3172105EA4489C41A1122787ADA751B46D3972
C:\ProgramData\loantmp\1.0.1.205\resource\DirectUI\srollBk.bmp	PC bitmap, Windows 3.x format, 16 x 24 x 24, image size 1152, resolution 3780 x 3780 px/m, cbSize 1206, bits offset 54	110614A0CA4665863C1EEACD168AD870	B23DB3840B2E6BF59E0F67DA731A62B6C76DCF3F	9BC994E64D4A0E6F3619AB452833BC790418A48EC8A6A82DAE1282DF3BAD563D
C:\ProgramData\loantmp\1.0.1.205\resource\License.txt	ISO-8859 text, with very long lines (460), with CRLF line terminators	E935660BFA476CC7DFF5789CEDCEC73A	C26FAF1E4E2331379F994464500491F7F294F730	501EC97E365468823E09CB4BA2092910A100999C32B7504071C770A25750507B
C:\ProgramData\loantmp\1.0.1.205\resource\arrow_left.png	PNG image data, 32 x 16, 8-bit/color RGBA, non-interlaced	BEC7CD95A5D4B308D0ABF0A9E92F567D	6B4B2B3D2D6352FC2AD5B45470AFE8B92C5456AF	3CF751CB66568BFDEB52F750D64FAC6BFF70800B6418C4CAB7DE53B3DE6C0471
C:\ProgramData\loantmp\1.0.1.205\resource\arrow_right.png	PNG image data, 32 x 16, 8-bit/color RGBA, non-interlaced	12F06ABA923043170386F4008018532F	3214C0155F8178542C19CE2C18140556F54FDD22	E69EA3BEC4E96EDD6C992C8AAD1B970A56E5316C9BA4C4725DCE029141474271
C:\ProgramData\loantmp\1.0.1.205\resource\bg_install.png	PNG image data, 650 x 580, 8-bit/color RGBA, non-interlaced	BF3095CE3234B23FC60641181103FC71	312FA53E9A825EC631DE743D79D3E788481F648A	AD9D7FDBD7B58E15A5BEABCD38D31F9E6B55D574E88B9FD08F456EFE26E8F1D2
C:\ProgramData\loantmp\1.0.1.205\resource\box_check.png	PNG image data, 26 x 13, 8-bit/color RGBA, non-interlaced	2FE6A2F74F0321C69F92E4F6E8E2AE0A	8FEDA59F42A57762BE7D723A36EC647C881A998A	E7CAE1750F8BDDFE126F7BB0297DB57BECAC0302D888AD2E0EA1A1BAB9D3C09F
C:\ProgramData\loantmp\1.0.1.205\resource\browser.png	PNG image data, 120 x 30, 8-bit/color RGBA, non-interlaced	97A22258BC5D48387B1B6515BBBD7495	AAB37C67CC139C8BD035783DFD8424A21D10CE08	F1D95495C7E89D1D6E48B4F7AE0AE6FED3F4E4C68AD17CB09DF44092B59DD978
C:\ProgramData\loantmp\1.0.1.205\resource\btnBK.png	PNG image data, 114 x 26, 8-bit/color RGBA, non-interlaced	7D7A5222691229147D80FA975D542E61	72D475016D1E240D1C2B2CECC8178618C95349D9	23D5A1204C8C27849A7A4603DFE03F2221FE9536563B4C937F29D0A52CACDDE1
C:\ProgramData\loantmp\1.0.1.205\resource\btn_alpha.png	PNG image data, 134 x 32, 8-bit/color RGBA, non-interlaced	B4F4ED682D51D5423C97E4164039B413	9398ECD6A527061FF295383ACA6E9306032DE71E	F8F2D678A447BA5E76EBC5AB02EE15901CD30B96CEAF04F02651D790067844AA
C:\ProgramData\loantmp\1.0.1.205\resource\btn_cancel.png	PNG image data, 120 x 30, 8-bit/color RGBA, non-interlaced	65E9EB89E751A530310809DEA3B22399	7CC03B38DD900748ED9535B03DC592263B3DC1D2	463391B3D0B075E1F207296C6BCC5C297811D63664E5D8133CE940C66786092C
C:\ProgramData\loantmp\1.0.1.205\resource\btn_close.png	PNG image data, 60 x 29, 8-bit/color RGBA, non-interlaced	A5CFCA9555D89FC5E8D764DC1DB2D312	1017FA346937487224DC4DD87442AF333221D587	334023FC16609787B334052C3AB17B5F1C10DDC5211C9AF86AE5B0964E95E6B8
C:\ProgramData\loantmp\1.0.1.205\resource\btn_min.png	PNG image data, 60 x 29, 8-bit/color RGBA, non-interlaced	7FB2D43D9E5922C05E79DDD0E2CA00B5	52D926DFDE3D1A4F2C807ACF9D88AD499B4D786B	B21076FCAEDD17346FBE94BFAED735443762CF46320216C6D3C9CC9B1AF5D2BD
C:\ProgramData\loantmp\1.0.1.205\resource\btn_ok.png	PNG image data, 120 x 30, 8-bit/color RGBA, non-interlaced	01E5F609B1671B43A9A6B27EA5FB229C	26D8A574F7A273C36758AEF3E7B810878EC48932	48FC5C7C817BB06E242E7380443581FD2F9165270E3474730E45083C138BC48F
C:\ProgramData\loantmp\1.0.1.205\resource\button_setup.png	PNG image data, 652 x 39, 8-bit/color RGBA, non-interlaced	8764CE95CA1E2AEF2A79D91CF31F7877	7C56DC3B9E93950F8AAEC02A7456C55BC0DE5E39	AC66EA177B237F463723F9854D645818F3F958F30324D6A0DA06756A0EC425B8
C:\ProgramData\loantmp\1.0.1.205\resource\client.ico	MS Windows icon resource - 1 icon, -128x-128, 32 bits/pixel	55393D0EBB6494EA0BC075467AE29597	9EC19C8E859AB353E4F29AD0D423A4187A5CD772	24F7DFF7F6BF2DEE6E6140BE0C9105BB3D62B29CD8121AD32FA6E824CB31CA58
C:\ProgramData\loantmp\1.0.1.205\resource\comboxBk.png	PNG image data, 108 x 19, 8-bit/color RGBA, non-interlaced	742F51172347F33DF4E164B3894EBB81	3DAB36142A729D44A2A02C825BFC6CE69E682A13	FE80672357C8BBC3A7F2751C0248EE38E635C7CB3FC7BCF356608BBC92736467
C:\ProgramData\loantmp\1.0.1.205\resource\inst_successfully.png	PNG image data, 650 x 341, 8-bit/color RGBA, non-interlaced	36090B12CC51508740DADC13A0C25F12	FC9761F082050A8CFF38DE3EE5670FBE377EE1A3	3D8E898C8F1130F1D89329E33F1158AE734F90C411F49B6C07088889988FEC14
C:\ProgramData\loantmp\1.0.1.205\resource\mainBk.png	PNG image data, 343 x 540, 8-bit/color RGBA, non-interlaced	F956EA24AA1B929BA80ECAFB0CB4B166	32341F209D560F9E37496E6BD128F97A06203EB5	FBE06ACF94F2B2C1195F8D671E698BCCBF2A3765C7C82B2E51A3D62B3B9DC997
C:\ProgramData\loantmp\1.0.1.205\resource\menuButton.png	PNG image data, 44 x 22, 8-bit/color RGBA, non-interlaced	67E89BB0CF189DCC523FA2DAEBA3E484	95068904F0B4878A278B36DAF959A659D0D64FCC	C64CF59D74F102AFB3EC8EAC7B0F3041DCBC2E0B01F0AA5B83C5092DC54041EE
C:\ProgramData\loantmp\1.0.1.205\resource\now_start.png	PNG image data, 326 x 41, 8-bit/color RGBA, non-interlaced	75B5FB57A4BDF535F731E0A6B820BBE4	8C3D47F45AAB66DAB811080C4B663D996314AB9E	22A72AB0AD36D92A80640232D165FDD6BBD0F2DE5206B2D204BC4E836971BF53
C:\ProgramData\loantmp\1.0.1.205\resource\progress_bar.png	PNG image data, 520 x 22, 8-bit/color RGBA, non-interlaced	C6091AB02A77D2B0DEF82C03A781ECD3	4D0F5BF90256CCB24FC94279D7CB9CD70FAD4A4E	CAE32C67593E852D3A4345B02D5D523A55C6CBA474F33446EB3F84C90DD76155
C:\ProgramData\loantmp\1.0.1.205\resource\radio.png	PNG image data, 26 x 13, 8-bit/color RGBA, non-interlaced	FEE3749BC5086D32A2121EE9C810F4EE	EAE312D7DB69D42A87086075C55F316FF15298E5	D1349C620E7EACF80A27CB4D0331DA4E02D2845BDAF71DBEA38EA34302759E96
C:\ProgramData\loantmp\1.0.1.205\resource\return.png	PNG image data, 120 x 30, 8-bit/color RGBA, non-interlaced	FACCB08A06B245E50D2CCAB48ABF9163	19D9C7C9DD024A2A0C734D63AF07C166E9506330	944541FB3C5E25D488ABAA85A9A2AF2032EAF875FF6A0738D4177841691957EB
C:\ProgramData\loantmp\1.0.1.205\resource\title.png	PNG image data, 335 x 65, 8-bit/color RGBA, non-interlaced	075046F2FE296FB302343A5BBFBDB988	9683731B21D84B97553BA9A98DF68773834170EC	01E37A05FA9381BBC321432D9E4F119A3F24339B78491E74909333C36C05B818
C:\ProgramData\loantmp\1.0.1.205\resource\title.png1	PNG image data, 235 x 65, 8-bit/color RGBA, non-interlaced	74C4B55E8C15047A55E82C9736FA9E27	363411C31A0FF255C0867EAC8F9A42A59D889F7B	33AE96561FB6E9FDA13625AA93B01C50A170F1A89D2B2569D90B54027B769FA7
C:\ProgramData\loantmp\1.0.1.205\resource\uninst_complete.png	PNG image data, 337 x 47, 8-bit/color RGBA, non-interlaced	FE2D6247C83ED7AB99AA98D7A9A63BF3	C7C789026D0EEAA59DDC0C2E18E7573AED2815D5	DAC1AEC9D798FD23F99B1981BCF914EA843477E9E1ED8A860175D0E44064F156
C:\ProgramData\loantmp\1.0.1.205\resource\wtl.exe.manifest	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	DBC833C50645BF305783C680D7414A7C	53994DD80205A9EFF12202E6DE4A90AA2224E9BB	896557E8936CCBFADB632515B0C6622D59A95EBFE4DFAA61850A9F5648A77C70
C:\ProgramData\loantmp\1.0.1.205\xmlconfig\fileConfig.xml	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	002C6C9FCCBD0892AD7B46E3A81CBFFB	8F67AB4EE4F1D1FCA7B42E9E3950AB0C8A48ADE9	986994C0D32450070A2D0FEBC23E95291FC839BAE1ECB1E99EB0D493549EA48C
C:\ProgramData\loantmp\1.0.1.205\xmlconfig\install.xml	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	C31FB275620B25DAACA0DCD0F8A53F23	9ED921E025455222AC0E26D054AD895FA12CB651	7A755EF11582338CB14F3B90C988C8B0EA9116258F410AB9FDEAC48C882DA764
C:\ProgramData\loantmp\1.0.1.205\xmlconfig\riliclient.xml	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	3B96D3B4A38DE3C435373A56DCE73CF9	AADE2C4C1B60DB4BB898F9DEACF2AD483392B50D	7058AB52896C25B33D8FE7B24ACA2B678D0356733F151B880CCF4F191B5BD3CC
C:\ProgramData\loantmp\1.0.1.205\xmlconfig\testCtrl.xml	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	4F5B8A0A5930D5DF3CF3691F9876EB78	6BBABB7A7CA85147CBFA6F24C8EE24E6E9E977D2	8587D04767686541C757796D759B5E05EA8224A0CB47DC449FFF752B13CCFFEF
C:\ProgramData\loantmp\1.0.1.205\xmlconfig\uninstall.xml	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	B5525DD0C9A111C2796B9130F46A36A2	2E9706771D78AC528D440AE980B34489DA160A61	31A0D4E7922B3E4F4305D0A06D7994AFFA947AC8699F05450546400F1862A813

Windows Analysis Report
SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1265655392.0000000002DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUninst.exeB vs SecuriteInfo.com.Win32.Evo-gen.30060.94.exe
Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1265655392.0000000002F7B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLoanCal.exe8 vs SecuriteInfo.com.Win32.Evo-gen.30060.94.exe
Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1266221491.00000000036BC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecalcservice.exe@ vs SecuriteInfo.com.Win32.Evo-gen.30060.94.exe
Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1266221491.00000000036BC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebAssist.dll8 vs SecuriteInfo.com.Win32.Evo-gen.30060.94.exe
Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1265655392.0000000002DBB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameinstall.exe8 vs SecuriteInfo.com.Win32.Evo-gen.30060.94.exe
Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1265655392.0000000002C9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Win32.Evo-gen.30060.94.exe
Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1265655392.0000000002CEC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvassist.exe< vs SecuriteInfo.com.Win32.Evo-gen.30060.94.exe
Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1260594465.00000000024E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInstall.exeD" vs SecuriteInfo.com.Win32.Evo-gen.30060.94.exe
Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1265655392.0000000002FA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecalcservice.exe@ vs SecuriteInfo.com.Win32.Evo-gen.30060.94.exe
Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1265655392.0000000002FA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebAssist.dll8 vs SecuriteInfo.com.Win32.Evo-gen.30060.94.exe
Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000000.1258290453.0000000000433000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameInstall.exeD" vs SecuriteInfo.com.Win32.Evo-gen.30060.94.exe
Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1260528236.00000000024E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInstall.exeD" vs SecuriteInfo.com.Win32.Evo-gen.30060.94.exe
Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1265655392.0000000002C19000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Win32.Evo-gen.30060.94.exe
Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1266099806.00000000007E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebAssist.dll8 vs SecuriteInfo.com.Win32.Evo-gen.30060.94.exe
Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1266221491.0000000003692000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLoanCal.exe8 vs SecuriteInfo.com.Win32.Evo-gen.30060.94.exe
Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe, 00000000.00000003.1260768494.00000000024E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInstall.exeD" vs SecuriteInfo.com.Win32.Evo-gen.30060.94.exe
Source: SecuriteInfo.com.Win32.Evo-gen.30060.94.exe	Binary or memory string: OriginalFilenameInstall.exeD" vs SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Windows Analysis Report SecuriteInfo.com.Win32.Evo-gen.30060.94.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.Win32.Evo-gen.30060.94.exe