Source: Submited Sample |
Integrated Neural Analysis Model: Matched 94.5% probability |
Source: V2-Office-C2R-Update-16.exe |
Joe Sandbox ML: detected |
Source: V2-Office-C2R-Update-16.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
Code function: 0_2_004054C6 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
0_2_004054C6 |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
Code function: 0_2_00405E9C FindFirstFileA,FindClose, |
0_2_00405E9C |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
Code function: 0_2_00402654 FindFirstFileA, |
0_2_00402654 |
Source: V2-Office-C2R-Update-16.exe |
String found in binary or memory: http://nsis.sf.net/NSIS_Error |
Source: V2-Office-C2R-Update-16.exe |
String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
Code function: 0_2_00404FCB GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, |
0_2_00404FCB |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
Code function: 0_2_0040310D EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, |
0_2_0040310D |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
Code function: 0_2_00406B01 |
0_2_00406B01 |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
Code function: 0_2_0040632A |
0_2_0040632A |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
Code function: 0_2_004047DC |
0_2_004047DC |
Source: V2-Office-C2R-Update-16.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: classification engine |
Classification label: mal48.winEXE@1/2@0/0 |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
Code function: 0_2_0040429B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, |
0_2_0040429B |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar, |
0_2_00402036 |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
File created: C:\Users\user\AppData\Local\Temp\nstB5BF.tmp |
Jump to behavior |
Source: V2-Office-C2R-Update-16.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
File read: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
Section loaded: shfolder.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration |
Jump to behavior |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
File created: C:\Users\user\AppData\Local\Temp\nstB5C0.tmp\System.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nstB5C0.tmp\System.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
Code function: 0_2_004054C6 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
0_2_004054C6 |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
Code function: 0_2_00405E9C FindFirstFileA,FindClose, |
0_2_00405E9C |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
Code function: 0_2_00402654 FindFirstFileA, |
0_2_00402654 |
Source: V2-Office-C2R-Update-16.exe, 00000000.00000002.1417244942.000000000047E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: I-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Fy; |
Source: V2-Office-C2R-Update-16.exe, 00000000.00000002.1417244942.000000000047E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: 5HSCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\V2-Office-C2R-Update-16.exe |
Code function: 0_2_0040310D EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, |
0_2_0040310D |