Windows Analysis Report
SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe

Overview

General Information

Sample name: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe
Analysis ID: 1521531
MD5: b1382f20fc2ac8ee00bc5d35cfe2a883
SHA1: 92dbed9a976191f17357082391fd69c38847875e
SHA256: abecc0256e95bbe633bd3139e6baf60b95db22b8271878f3f35ae3c412ff557d
Tags: AdwareInstallCoreexe
Infos:

Detection

Score: 29
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Uses shutdown.exe to shutdown or reboot the system
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_004531A4 FindFirstFileA,GetLastError, 1_2_004531A4
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00476120 FindFirstFileA,FindNextFileA,FindClose, 1_2_00476120
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_004648D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_004648D0
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00464D4C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_00464D4C
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00463344 FindFirstFileA,FindNextFileA,FindClose, 1_2_00463344
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_0049998C FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose, 1_2_0049998C
Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp, 00000001.00000000.1444817104.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp.0.dr String found in binary or memory: http://www.innosetup.com/
Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe, 00000000.00000003.1444240891.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe, 00000000.00000003.1444389296.00000000020A8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp, 00000001.00000000.1444817104.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp.0.dr String found in binary or memory: http://www.remobjects.com/ps
Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe, 00000000.00000003.1444240891.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe, 00000000.00000003.1444389296.00000000020A8000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp, 00000001.00000000.1444817104.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp.0.dr String found in binary or memory: http://www.remobjects.com/psU

System Summary
barindex
Uses shutdown.exe to shutdown or reboot the system
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Process created: C:\Windows\SysWOW64\shutdown.exe "shutdown.exe" -r -f -t 0
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_0042F9C0 NtdllDefWindowProc_A, 1_2_0042F9C0
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00423FD4 NtdllDefWindowProc_A, 1_2_00423FD4
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00412A28 NtdllDefWindowProc_A, 1_2_00412A28
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00479D08 NtdllDefWindowProc_A, 1_2_00479D08
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00457D90 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A, 1_2_00457D90
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_0042ED84: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError, 1_2_0042ED84
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe Code function: 0_2_004098E8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_004098E8
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00455D80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 1_2_00455D80
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe Code function: 0_2_00408888 0_2_00408888
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00468034 1_2_00468034
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00488030 1_2_00488030
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_0046A088 1_2_0046A088
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00452100 1_2_00452100
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_0043E1F0 1_2_0043E1F0
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_004307FC 1_2_004307FC
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00444968 1_2_00444968
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00434A64 1_2_00434A64
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00444F10 1_2_00444F10
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00488F90 1_2_00488F90
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00431388 1_2_00431388
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00445608 1_2_00445608
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00471688 1_2_00471688
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_0048F6BC 1_2_0048F6BC
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00435768 1_2_00435768
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_0045F8C0 1_2_0045F8C0
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_0045B970 1_2_0045B970
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00445A14 1_2_00445A14
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: String function: 00446274 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: String function: 0040596C appears 114 times
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: String function: 00453AAC appears 97 times
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: String function: 0043497C appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: String function: 00458718 appears 79 times
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: String function: 00403400 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: String function: 0040905C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: String function: 00407D44 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: String function: 00446544 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: String function: 0045850C appears 100 times
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: String function: 00403494 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: String function: 0040357C appears 33 times
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: String function: 00406F14 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: String function: 00403684 appears 229 times
PE file contains executable resources (Code or Archives)
Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp.0.dr Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe, 00000000.00000003.1444240891.00000000023B0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe
Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe, 00000000.00000003.1444389296.00000000020A8000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe
Uses 32bit PE files
Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engine Classification label: sus29.rans.winEXE@6/2@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe Code function: 0_2_004098E8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_004098E8
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00455D80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 1_2_00455D80
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_004565A8 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA, 1_2_004565A8
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00456DD4 CoCreateInstance,CoCreateInstance,SysFreeString,SysFreeString, 1_2_00456DD4
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe Code function: 0_2_0040A0D4 FindResourceA,SizeofResource,LoadResource,LockResource, 0_2_0040A0D4
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp File created: C:\Users\user\AppData\Local\Programs Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5652:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe File created: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe String found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe String found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe "C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe Process created: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp "C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp" /SL5="$103E6,76800,76800,C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe"
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Process created: C:\Windows\SysWOW64\shutdown.exe "shutdown.exe" -r -f -t 0
Source: C:\Windows\SysWOW64\shutdown.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe Process created: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp "C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp" /SL5="$103E6,76800,76800,C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Process created: C:\Windows\SysWOW64\shutdown.exe "shutdown.exe" -r -f -t 0 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe Section loaded: shutdownext.dll Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00450994 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00450994
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe Code function: 0_2_00406A18 push 00406A55h; ret 0_2_00406A4D
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe Code function: 0_2_004040B5 push eax; ret 0_2_004040F1
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe Code function: 0_2_00404185 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe Code function: 0_2_00404206 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe Code function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe Code function: 0_2_00404283 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe Code function: 0_2_004093B4 push 004093E7h; ret 0_2_004093DF
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe Code function: 0_2_00408580 push ecx; mov dword ptr [esp], eax 0_2_00408585
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00409D9C push 00409DD9h; ret 1_2_00409DD1
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_0041A078 push ecx; mov dword ptr [esp], ecx 1_2_0041A07D
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00452100 push ecx; mov dword ptr [esp], eax 1_2_00452105
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_0040A273 push ds; ret 1_2_0040A29D
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_004062C4 push ecx; mov dword ptr [esp], eax 1_2_004062C5
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_0040A29F push ds; ret 1_2_0040A2A0
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00460518 push ecx; mov dword ptr [esp], ecx 1_2_0046051C
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00496594 push ecx; mov dword ptr [esp], ecx 1_2_00496599
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_004587B4 push 004587ECh; ret 1_2_004587E4
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00410930 push ecx; mov dword ptr [esp], edx 1_2_00410935
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00486A94 push ecx; mov dword ptr [esp], ecx 1_2_00486A99
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00478D50 push ecx; mov dword ptr [esp], edx 1_2_00478D51
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00412D78 push 00412DDBh; ret 1_2_00412DD3
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_0040D288 push ecx; mov dword ptr [esp], edx 1_2_0040D28A
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_0040546D push eax; ret 1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_0040553D push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_004055BE push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_0040563B push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_0040F7E8 push ecx; mov dword ptr [esp], edx 1_2_0040F7EA
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_004438E0 push ecx; mov dword ptr [esp], ecx 1_2_004438E4
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00459ACC push 00459B10h; ret 1_2_00459B08
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_0049BD44 pushad ; retf 1_2_0049BD53
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe File created: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp File created: C:\Users\user\AppData\Local\Temp\is-2KP2F.tmp\_isetup\_setup64.tmp Jump to dropped file
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_0042405C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 1_2_0042405C
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_0042405C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 1_2_0042405C
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_0041811E IsIconic,SetWindowPos, 1_2_0041811E
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00418120 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 1_2_00418120
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_004245E4 IsIconic,SetActiveWindow, 1_2_004245E4
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_0042462C IsIconic,SetActiveWindow,SetFocus, 1_2_0042462C
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_004187D4 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 1_2_004187D4
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00422CAC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 1_2_00422CAC
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00484D28 IsIconic,GetWindowLongA,ShowWindow,ShowWindow, 1_2_00484D28
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_0042F71C IsIconic,GetWindowLongA,GetWindowLongA,GetActiveWindow,MessageBoxA,SetActiveWindow,GetActiveWindow,MessageBoxA,SetActiveWindow, 1_2_0042F71C
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_004179E8 IsIconic,GetCapture, 1_2_004179E8
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_0041F568 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 1_2_0041F568
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2KP2F.tmp\_isetup\_setup64.tmp Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe Evasive API call chain: GetSystemTime,DecisionNodes
Found evasive API chain checking for process token information
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Check user administrative privileges: GetTokenInformation,DecisionNodes
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_004531A4 FindFirstFileA,GetLastError, 1_2_004531A4
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00476120 FindFirstFileA,FindNextFileA,FindClose, 1_2_00476120
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_004648D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_004648D0
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00464D4C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_00464D4C
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00463344 FindFirstFileA,FindNextFileA,FindClose, 1_2_00463344
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_0049998C FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose, 1_2_0049998C
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe Code function: 0_2_0040A018 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery, 0_2_0040A018
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00450994 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00450994
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_0047974C ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle, 1_2_0047974C
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_0042F254 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA, 1_2_0042F254
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_0042E4EC AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid, 1_2_0042E4EC
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe Code function: GetLocaleInfoA, 0_2_0040565C
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe Code function: GetLocaleInfoA, 0_2_004056A8
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: GetLocaleInfoA, 1_2_004089B8
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: GetLocaleInfoA, 1_2_00408A04
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00458DC4 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle, 1_2_00458DC4
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe Code function: 0_2_004026C4 GetSystemTime, 0_2_004026C4
Source: C:\Users\user\AppData\Local\Temp\is-O2DFQ.tmp\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp Code function: 1_2_00455D38 GetUserNameA, 1_2_00455D38
Source: C:\Users\user\Desktop\SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe Code function: 0_2_00404654 GetModuleHandleA,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy, 0_2_00404654
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1521531 Sample: SecuriteInfo.com.not-a-viru... Startdate: 28/09/2024 Architecture: WINDOWS Score: 29 7 SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.exe 2 2->7         started        file3 18 SecuriteInfo.com.n...gen.29670.14571.tmp, PE32 7->18 dropped 10 SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.tmp 3 10 7->10         started        process4 file5 20 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 10->20 dropped 22 Uses shutdown.exe to shutdown or reboot the system 10->22 14 shutdown.exe 1 10->14         started        signatures6 process7 process8 16 conhost.exe 14->16         started       
No contacted IP infos