Windows Analysis Report
SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Analysis ID: 1502165
MD5: fe41ba6e49587e644575cc3e63bbec57
SHA1: b26bf2f22af8fbf59c84df1295c179e6ce9010dd
SHA256: 671d2ffc833e605aa7061ce6c43b83a180957ec3c004856fe837f00b7a0b78a1
Tags: exe
Infos:

Detection

Score: 36
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Multi AV Scanner detection for submitted file
Adds / modifies Windows certificates
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Virustotal: Detection: 22% Perma Link
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe ReversingLabs: Detection: 18%
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Static PE information: certificate valid
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: wininet.pdb source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2073361025.000000000541B000.00000004.00000020.00020000.00000000.sdmp, shi55E.tmp.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ExternalUICleaner.pdb source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp, SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp, ExternalUICleaner.dll.0.dr, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdb source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp, SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp, ?? 02 - ??.x64.msi.0.dr, ShortcutFlags.dll.0.dr, ?? 02 - ??.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ExternalUICleaner.pdb3 source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp, SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp, ExternalUICleaner.dll.0.dr, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdbA source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp, SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp, ?? 02 - ??.x64.msi.0.dr, ShortcutFlags.dll.0.dr, ?? 02 - ??.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp, SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr
Source: Binary string: wininet.pdbUGP source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2073361025.000000000541B000.00000004.00000020.00020000.00000000.sdmp, shi55E.tmp.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp, SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp, lzmaextractor.dll.0.dr, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp, SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp, MSI92E.tmp.0.dr, MSIB14.tmp.0.dr, MSI880.tmp.0.dr, ?? 02 - ??.x64.msi.0.dr, MSI850.tmp.0.dr, MSI772.tmp.0.dr, MSI870.tmp.0.dr, MSI7F0.tmp.0.dr, ?? 02 - ??.msi.0.dr, MSIB53.tmp.0.dr, MSI8A1.tmp.0.dr, MSI82F.tmp.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00FA9830 FindFirstFileW,GetLastError,FindClose, 0_2_00FA9830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00EA2290 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,PathIsUNCW, 0_2_00EA2290
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00FA8ED0 _wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 0_2_00FA8ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00FB7A10 FindFirstFileW,FindClose,FindClose, 0_2_00FB7A10
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3318885400.00000000010E9000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000000.2056387638.00000000010E9000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: FlashWindowExFlashWindowGetPackagePathhttp://www.google.comhttp://www.yahoo.comtin9999.tmphttp://www.example.comTEST.partGET "filenameattachment=123POSTcharsetDLDISO-8859-1US-ASCIIutf-8utf-16FTP Server*/*AdvancedInstallerLocal Network ServerIf-Modified-Since: %s equals www.yahoo.com (Yahoo)
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe String found in binary or memory: UFlashWindowExFlashWindowGetPackagePathhttp://www.google.comhttp://www.yahoo.comtin9999.tmphttp://www.example.comTEST.partGET "filenameattachment=123POSTcharsetDLDISO-8859-1US-ASCIIutf-8utf-16FTP Server*/*AdvancedInstallerLocal Network ServerIf-Modified-Since: %s equals www.yahoo.com (Yahoo)
Source: shi55E.tmp.0.dr String found in binary or memory: http://.css
Source: shi55E.tmp.0.dr String found in binary or memory: http://.jpg
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3318512606.0000000000C97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrus
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3318512606.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3318512606.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssur
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3318512606.0000000000C97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA25
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: shi55E.tmp.0.dr String found in binary or memory: http://html4/loose.dtd
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr String found in binary or memory: http://ocsp.sectigo.com00
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr String found in binary or memory: https://sectigo.com/CPS0
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00F87CD0 SendMessageW,GetParent,GetParent,GetWindowRect,GetParent,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,MapWindowPoints,FillRect,DeleteDC,SendMessageW,SendMessageW,SendMessageW, 0_2_00F87CD0
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00F664F0 GetSystemDirectoryW,LoadLibraryExW,NtdllDefWindowProc_W,GetSysColor, 0_2_00F664F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00FEF850 NtdllDefWindowProc_W, 0_2_00FEF850
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00EA3E40 KillTimer,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection, 0_2_00EA3E40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00EA00C0 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W, 0_2_00EA00C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00E96670 SysFreeString,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,GetWindowTextLengthW,GetWindowTextW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,NtdllDefWindowProc_W,SysFreeString, 0_2_00E96670
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00E96CD0 NtdllDefWindowProc_W,GetSysColor, 0_2_00E96CD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00E98C40 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow, 0_2_00E98C40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00EB6FE0 NtdllDefWindowProc_W, 0_2_00EB6FE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00F47370 NtdllDefWindowProc_W, 0_2_00F47370
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00E99360 NtdllDefWindowProc_W, 0_2_00E99360
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00EA9430 NtdllDefWindowProc_W, 0_2_00EA9430
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00EF7760 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W, 0_2_00EF7760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00E99920 NtdllDefWindowProc_W, 0_2_00E99920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00E95F50 GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,GetWindowTextLengthW,GetWindowTextW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W, 0_2_00E95F50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00E9FF50 NtdllDefWindowProc_W, 0_2_00E9FF50
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00FE8160 0_2_00FE8160
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00F88460 0_2_00F88460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00FFCE10 0_2_00FFCE10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00FC36C0 0_2_00FC36C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00FB1850 0_2_00FB1850
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00EA2290 0_2_00EA2290
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00E87620 0_2_00E87620
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00EA0500 0_2_00EA0500
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00EB8630 0_2_00EB8630
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00EAA820 0_2_00EAA820
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00EBCBB0 0_2_00EBCBB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00EB0C80 0_2_00EB0C80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_0106CD70 0_2_0106CD70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00EFADA0 0_2_00EFADA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_01002F40 0_2_01002F40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00EACE41 0_2_00EACE41
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_0107511A 0_2_0107511A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00E83000 0_2_00E83000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_0106539E 0_2_0106539E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00EAF410 0_2_00EAF410
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_0106572C 0_2_0106572C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00FAF6D0 0_2_00FAF6D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00EB9710 0_2_00EB9710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00EA9AD0 0_2_00EA9AD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00FBBA70 0_2_00FBBA70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_01079B99 0_2_01079B99
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00EA5CE0 0_2_00EA5CE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00E85C82 0_2_00E85C82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_0107FF84 0_2_0107FF84
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00EA9FF0 0_2_00EA9FF0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: String function: 00E88DB0 appears 226 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: String function: 00E88300 appears 59 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: String function: 00E8A830 appears 52 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: String function: 00E8A2A0 appears 52 times
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2091463542.0000000003EC7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAICustAct.dllF vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp Binary or memory string: OriginalFilenamelzmaextractor.dllF vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp Binary or memory string: OriginalFilenameShortcutFlags.dllF vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp Binary or memory string: OriginalFilenameAICustAct.dllF vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp Binary or memory string: OriginalFilenamePrereq.dllF vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp Binary or memory string: OriginalFilenameExternalUICleaner.dllF vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3319283327.0000000003E10000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAICustAct.dllF vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2073361025.000000000541B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewininet.dllD vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelzmaextractor.dllF vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameShortcutFlags.dllF vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAICustAct.dllF vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePrereq.dllF vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameExternalUICleaner.dllF vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3319283327.0000000003EC7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAICustAct.dllF vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3318984611.0000000001186000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameMicrosoft Outlook vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2088123615.0000000003E8A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAICustAct.dllF vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Binary or memory string: OriginalFileNameMicrosoft Outlook vs SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: shi55E.tmp.0.dr Binary string: \Device\NameResTrk\RecordNrtCloneOpenPacket
Source: classification engine Classification label: sus36.winEXE@4/90@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00FACA20 FormatMessageW,GetLastError, 0_2_00FACA20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00FDBC30 GetDiskFreeSpaceExW, 0_2_00FDBC30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00E8A160 LoadResource,LockResource,SizeofResource, 0_2_00E8A160
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Outlook 24.9 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe File created: C:\Users\user\AppData\Local\Temp\shi55E.tmp Jump to behavior
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Virustotal: Detection: 22%
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe ReversingLabs: Detection: 18%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 0E4E2BFC58A5D03AC826880BF5326FF0 C
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 0E4E2BFC58A5D03AC826880BF5326FF0 C Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: davhlpr.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: lpk.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Static PE information: certificate valid
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Static file information: File size 12568744 > 1048576
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x267200
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wininet.pdb source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2073361025.000000000541B000.00000004.00000020.00020000.00000000.sdmp, shi55E.tmp.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ExternalUICleaner.pdb source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp, SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp, ExternalUICleaner.dll.0.dr, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdb source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp, SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp, ?? 02 - ??.x64.msi.0.dr, ShortcutFlags.dll.0.dr, ?? 02 - ??.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ExternalUICleaner.pdb3 source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp, SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp, ExternalUICleaner.dll.0.dr, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ShortcutFlags.pdbA source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp, SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp, ?? 02 - ??.x64.msi.0.dr, ShortcutFlags.dll.0.dr, ?? 02 - ??.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp, SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr
Source: Binary string: wininet.pdbUGP source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2073361025.000000000541B000.00000004.00000020.00020000.00000000.sdmp, shi55E.tmp.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp, SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp, lzmaextractor.dll.0.dr, ?? 02 - ??.x64.msi.0.dr, ?? 02 - ??.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000002.3320173705.0000000006390000.00000002.00000001.00040000.00000025.sdmp, SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe, 00000000.00000003.2066854089.0000000005410000.00000004.00001000.00020000.00000000.sdmp, MSI92E.tmp.0.dr, MSIB14.tmp.0.dr, MSI880.tmp.0.dr, ?? 02 - ??.x64.msi.0.dr, MSI850.tmp.0.dr, MSI772.tmp.0.dr, MSI870.tmp.0.dr, MSI7F0.tmp.0.dr, ?? 02 - ??.msi.0.dr, MSIB53.tmp.0.dr, MSI8A1.tmp.0.dr, MSI82F.tmp.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains a suspicious time stamp
Source: shi55E.tmp.0.dr Static PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00FBE810 SHGetFolderPathW,GetSystemDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetModuleFileNameW,SHGetSpecialFolderLocation,__Init_thread_footer,LoadLibraryW,GetProcAddress,SHGetPathFromIDListW,SHGetMalloc, 0_2_00FBE810
PE file contains sections with non-standard names
Source: shi55E.tmp.0.dr Static PE information: section name: .wpp_sf
Source: shi55E.tmp.0.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00F88D70 push ecx; mov dword ptr [esp], 3F800000h 0_2_00F88EA6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00EAC63B push ds; ret 0_2_00EAC63F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00E9D310 push ecx; mov dword ptr [esp], ecx 0_2_00E9D311
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_0105D68A push ecx; ret 0_2_0105D69D
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe File created: C:\Users\user\AppData\Local\Temp\MSI870.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe File created: C:\Users\user\AppData\Local\Temp\MSI7F0.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe File created: C:\Users\user\AppData\Local\Temp\MSIB14.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe File created: C:\Users\user\AppData\Local\Temp\shi55E.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe File created: C:\Users\user\AppData\Local\Temp\MSI82F.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe File created: C:\Users\user\AppData\Local\Temp\MSIB53.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe File created: C:\Users\user\AppData\Local\Temp\MSI850.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe File created: C:\Users\user\AppData\Local\Temp\MSI772.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe File created: C:\Users\user\AppData\Local\Temp\MSI880.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\lzmaextractor.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe File created: C:\Users\user\AppData\Local\Temp\MSI92E.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe File created: C:\Users\user\AppData\Local\Temp\MSI8A1.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\ExternalUICleaner.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\ShortcutFlags.dll Jump to dropped file
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI870.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7F0.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB14.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi55E.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI82F.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB53.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI850.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI772.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI880.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\lzmaextractor.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI92E.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI8A1.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\ShortcutFlags.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\ExternalUICleaner.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe File Volume queried: C:\Users\user\AppData\Roaming\Microsoft FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe File Volume queried: C:\Users\user\AppData\Roaming\Microsoft\Outlook 24.9\install\550CEA2 FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe File Volume queried: C:\Users\user\AppData\Roaming\Microsoft\Outlook 24.9\install\550CEA2 FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00FA9830 FindFirstFileW,GetLastError,FindClose, 0_2_00FA9830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00EA2290 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,PathIsUNCW, 0_2_00EA2290
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00FA8ED0 _wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 0_2_00FA8ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00FB7A10 FindFirstFileW,FindClose,FindClose, 0_2_00FB7A10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_01059F12 VirtualQuery,GetSystemInfo, 0_2_01059F12
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_0105C3A3 IsDebuggerPresent,OutputDebugStringW, 0_2_0105C3A3
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00FDD630 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,FlushFileBuffers,WriteFile,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,OutputDebugStringW,WriteFile,WriteFile,FlushFileBuffers,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers, 0_2_00FDD630
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00FBE810 SHGetFolderPathW,GetSystemDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetModuleFileNameW,SHGetSpecialFolderLocation,__Init_thread_footer,LoadLibraryW,GetProcAddress,SHGetPathFromIDListW,SHGetMalloc, 0_2_00FBE810
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_0106835A mov ecx, dword ptr fs:[00000030h] 0_2_0106835A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_0105C6B6 mov esi, dword ptr fs:[00000030h] 0_2_0105C6B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_01076E5B mov eax, dword ptr fs:[00000030h] 0_2_01076E5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_01076E9F mov eax, dword ptr fs:[00000030h] 0_2_01076E9F
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_0105C722 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree, 0_2_0105C722
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00EBC5D0 __set_se_translator,SetUnhandledExceptionFilter, 0_2_00EBC5D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00EBEF30 __set_se_translator,SetUnhandledExceptionFilter, 0_2_00EBEF30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_0105D242 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0105D242
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_01061DF3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_01061DF3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00FA4D70 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,FindCloseChangeNotification, 0_2_00FA4D70
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: GetLocaleInfoW,GetLocaleInfoW, 0_2_00FD34F0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\sys_close_down.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\sys_close_hot.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\sys_close_normal.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\sys_close_inactive.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\sys_min_down.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\sys_min_hot.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\sys_min_hot.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\sys_min_normal.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\sys_min_inactive.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_top_left.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_top_left_inactive.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_top_mid.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_top_mid_inactive.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_caption.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_caption_inactive.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_top_right.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_top_right_inactive.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_left.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_left_inactive.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_right.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_right_inactive.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_bottom_left.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_bottom_left_inactive.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_bottom_mid.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_bottom_mid_inactive.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_bottom_right.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\frame_bottom_right_inactive.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\background VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\PrepareDlgProgress.gif VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\PrepareDlgProgress.gif VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\applogoicon.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\background VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\backbutton VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\nextcancelbuttons VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\checkbox VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\metroinstallbutton VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\nextcancelbuttons VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\browsebutton VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7284\applogoicon.bmp VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00FE9830 CreateNamedPipeW,CreateFileW, 0_2_00FE9830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_0105C37D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime, 0_2_0105C37D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00FE8160 GetUserNameW,GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW,RegCloseKey,RegCloseKey,RegCloseKey,RegCloseKey,RegCloseKey,RegCloseKey, 0_2_00FE8160
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Code function: 0_2_00E87620 GetVersionExW,GetVersionExW,GetVersionExW,IsProcessorFeaturePresent, 0_2_00E87620
Adds / modifies Windows certificates
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1502165 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 31/08/2024 Architecture: WINDOWS Score: 36 21 Multi AV Scanner detection for submitted file 2->21 6 SecuriteInfo.com.Trojan.GenericKD.72635636.21001.25815.exe 117 2->6         started        9 msiexec.exe 2->9         started        process3 file4 13 C:\Users\user\AppData\Local\Temp\shi55E.tmp, PE32+ 6->13 dropped 15 C:\Users\user\AppData\Local\Temp\MSIB53.tmp, PE32 6->15 dropped 17 C:\Users\user\AppData\Local\Temp\MSIB14.tmp, PE32 6->17 dropped 19 11 other files (none is malicious) 6->19 dropped 11 msiexec.exe 9->11         started        process5
No contacted IP infos