Windows Analysis Report
SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Cryptography

Source: Xr5XVue.exe, 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_63f5faab-4

Compliance

Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Static PE information: certificate valid

Source: unknown	HTTPS traffic detected: 5.45.205.243:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.45.200.105:443 -> 192.168.2.5:49710 version: TLS 1.2

Source:	Binary string: wextract.pdb source: setup.exe
Source:	Binary string: wextract.pdbU source: setup.exe
Source:	Binary string: d:\Projects\WinRAR\SFX\build\sfxzip32\Release\sfxzip.pdb source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
Source:	Binary string: C:\BuildAgent\work\4a73c29f3c4e6ac\downloader\Release\downloader.pdb source: o9iQbd0.exe.4.dr

Spreading

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Code function: 0_2_00404492 FindFirstFileW,GetLastError,FindNextFileW,GetLastError,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,		0_2_00404492
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Code function: 0_2_004097ED SendDlgItemMessageA,DestroyIcon,EndDialog,SetDlgItemTextA,SetDlgItemTextA,SHGetFileInfoA,SendDlgItemMessageA,FindFirstFileA,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatA,GetDateFormatA,wsprintfA,wsprintfA,SetDlgItemTextA,FindClose,wsprintfA,SetDlgItemTextA,SendDlgItemMessageA,DosDateTimeToFileTime,FileTimeToSystemTime,GetTimeFormatA,GetDateFormatA,wsprintfA,SetDlgItemTextA,wsprintfA,SetDlgItemTextA,		0_2_004097ED

Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Local\Temp\RarSFX0\img\			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Local\			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Local\Temp\			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Local\Temp\RarSFX0\			Jump to behavior

Networking

Source: Joe Sandbox View

IP Address: 5.45.205.243 5.45.205.243

Source: Joe Sandbox View

JA3 fingerprint: 0c9457ab6f0d6a14fc8a3d1d149547fb

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe

Code function: 4_2_00468EC9 _errno,recv,

4_2_00468EC9

Source: global traffic	HTTP traffic detected: GET /yandex-pack/downloader/downloader.exe HTTP/1.1User-Agent: Wget/1.19.2 (mingw32)Accept: */*Accept-Encoding: gzipHost: download.yandex.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download.yandex.ru/yandex-pack/downloader/downloader.exe?lid=299 HTTP/1.1User-Agent: Wget/1.19.2 (mingw32)Accept: */*Accept-Encoding: gzipHost: cachev2-fra-02.cdn.yandex.netConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: download.yandex.ru
Source: global traffic	DNS traffic detected: DNS query: cachev2-fra-02.cdn.yandex.net

Source: Xr5XVue.exe	String found in binary or memory: http://bibnum.bnf.fr/WARC/WARC_ISO_28500_version1_latestdraft.pdf
Source: Xr5XVue.exe, 00000004.00000002.2130542848.0000000000F61000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, o9iQbd0.exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, o9iQbd0.exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, o9iQbd0.exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Xr5XVue.exe	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: Xr5XVue.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Xr5XVue.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, o9iQbd0.exe.4.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, o9iQbd0.exe.4.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Xr5XVue.exe, 00000004.00000002.2130542848.0000000000F61000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, o9iQbd0.exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, o9iQbd0.exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, o9iQbd0.exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: o9iQbd0.exe.4.dr	String found in binary or memory: http://downloader.yandex.net/yandex-pack/YandexPackSetup.exeYandexSearch.exedownloader.yandex.netdow
Source: Xr5XVue.exe	String found in binary or memory: http://netpreserve.org/warc/1.0/revisit/identical-payload-digest
Source: Xr5XVue.exe	String found in binary or memory: http://netpreserve.org/warc/1.0/revisit/identical-payload-digestWARC-ProfilelengthWARC-Truncatedappl
Source: Xr5XVue.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, o9iQbd0.exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Xr5XVue.exe, 00000004.00000002.2130542848.0000000000F61000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, o9iQbd0.exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, o9iQbd0.exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, o9iQbd0.exe.4.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, o9iQbd0.exe.4.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, o9iQbd0.exe.4.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, o9iQbd0.exe.4.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Xr5XVue.exe	String found in binary or memory: http://www.gnu.org/licenses/gpl.html
Source: Xr5XVue.exe	String found in binary or memory: http://www.metalinker.org/
Source: Xr5XVue.exe	String found in binary or memory: http://www.metalinker.org/typedynamicoriginurn:ietf:params:xml:ns:metalinktagsidentityfilesfilenames
Source: mshta.exe, 00000002.00000002.3324628787.0000000003274000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.yF
Source: Xr5XVue.exe, 00000004.00000003.2129598773.0000000000F2B000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000002.2130499484.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dr.yandex.net/strm
Source: Xr5XVue.exe, 00000004.00000003.2129598773.0000000000F2B000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000002.2130499484.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dr2.yandex.net/strm
Source: gam-page.html, last-page.html, start.hta, ya-page.html	String found in binary or memory: https://openbox.su/app1/
Source: mshta.exe, 00000002.00000002.3324628787.00000000032C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://openbox.su/app1/K
Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, o9iQbd0.exe.4.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Xr5XVue.exe	String found in binary or memory: https://www.openssl.org/docs/faq.html
Source: Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, o9iQbd0.exe.4.dr	String found in binary or memory: https://yandex.com0

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown	HTTPS traffic detected: 5.45.205.243:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.45.200.105:443 -> 192.168.2.5:49710 version: TLS 1.2

System Summary

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\start.hta

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Code function: 0_2_00402011		0_2_00402011
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Code function: 0_2_0040621D		0_2_0040621D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Code function: 0_2_0040168A		0_2_0040168A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Code function: 0_2_00405D4D		0_2_00405D4D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_004253D0		4_2_004253D0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_0041C4B7		4_2_0041C4B7
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_005CF16C		4_2_005CF16C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_005CF100		4_2_005CF100
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_0040724D		4_2_0040724D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_004DF270		4_2_004DF270
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_005CE2C0		4_2_005CE2C0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_0053E360		4_2_0053E360
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_004E7470		4_2_004E7470
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_0053F400		4_2_0053F400
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00441595		4_2_00441595
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00670670		4_2_00670670
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_004D48E0		4_2_004D48E0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_004258F6		4_2_004258F6
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00425893		4_2_00425893
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_004DB8B0		4_2_004DB8B0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_005CE9E0		4_2_005CE9E0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00444991		4_2_00444991
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00447A68		4_2_00447A68
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00425A72		4_2_00425A72
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_0044BACC		4_2_0044BACC
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00425A98		4_2_00425A98
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00425B43		4_2_00425B43
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00425B62		4_2_00425B62
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00425B09		4_2_00425B09
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00425B1C		4_2_00425B1C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_0052EB20		4_2_0052EB20
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00425BD0		4_2_00425BD0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00425BF2		4_2_00425BF2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00425B8C		4_2_00425B8C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00425BAE		4_2_00425BAE
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00425C14		4_2_00425C14
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_0042AC1D		4_2_0042AC1D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00425CD5		4_2_00425CD5
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00443CFC		4_2_00443CFC
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00467D61		4_2_00467D61
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_004FAD60		4_2_004FAD60
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_0065AD20		4_2_0065AD20
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_004D7DD0		4_2_004D7DD0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_004CFDE0		4_2_004CFDE0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00425D86		4_2_00425D86
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_0053EE50		4_2_0053EE50
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_0044AE6F		4_2_0044AE6F

Source: setup.exe.0.dr

Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 224531 bytes, 5 files, at 0x2c "dsetup.dll" "dsetup32.dll", ID 5930, number 1, 69 datablocks, 0x1503 compression

Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, 00000000.00000002.3325630626.00000000006FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMSHTA.EXE.MUID vs SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, 00000000.00000002.3325630626.00000000006FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMSHTA.EXED vs SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: sus26.winEXE@6/23@2/2

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe

Code function: 4_2_0043F831 CertOpenSystemStoreA,GetProcAddress,CertOpenSystemStoreA,CertOpenSystemStoreA,CertOpenSystemStoreA,

4_2_0043F831

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe

Code function: 4_2_00672100 _get_osfhandle,GetFileType,_telli64,GetFileSizeEx,SetFilePointer,SetEndOfFile,_lseeki64,GetFileInformationByHandle,calloc,calloc,FindFirstVolumeW,FindNextVolumeW,GetVolumeInformationW,FindVolumeClose,free,GetDiskFreeSpaceExW,free,GetLastError,FindVolumeClose,free,

4_2_00672100

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Code function: 0_2_00404AB5 CLSIDFromString,CoCreateInstance,

0_2_00404AB5

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Code function: 0_2_0040879E GetModuleHandleA,FindResourceA,

0_2_0040879E

Source: C:\Windows\SysWOW64\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0

Jump to behavior

Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	String found in binary or memory: OOO DIGITAL-START1
Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	String found in binary or memory: OOO DIGITAL-START1#0!
Source: 7z.exe	String found in binary or memory: Check charset encoding and -scs switch.*BLEDARVUANAXAIXIWOMPYTBDBA-HELPHasut0-SSCSSWSLTSCSSLPADSEMLAOSOSISFXPQRXYZW0123cannot find archivethere is no such archiveCannot use absolute pathnames for this commandReading archives from stdin is not implementedstdout mode and email mode cannot be combineddata errorIncorrect mapping dataMapViewOfFile errorCan not open mappingIncorrect volume size
Source: Xr5XVue.exe	String found in binary or memory: bind-address
Source: Xr5XVue.exe	String found in binary or memory: Try `%s --help' for more options.
Source: Xr5XVue.exe	String found in binary or memory: Try `%s --help' for more options.
Source: Xr5XVue.exe	String found in binary or memory: WARC output does not work with --continue or --start-pos, they will be disabled.
Source: Xr5XVue.exe	String found in binary or memory: Compression does not work with --continue or --start-pos, they will be disabled.
Source: Xr5XVue.exe	String found in binary or memory: Specifying both --start-pos and --continue is not recommended; --continue will be disabled.
Source: Xr5XVue.exe	String found in binary or memory: acceptaccept-regexacceptregexadjust-extensionadjustextensionappend-outputask-passwordaskpasswordauth-no-challengeauthnochallengebackgroundbackup-convertedbackupconvertedbackupsbasebind-addressbindaddressbody-databodydatabody-filebodyfileca-certificatecacertificateca-directorycadirectorycachecertificatecertificate-typecertificatetypecheck-certificatecheckcertificateclobbercompressionconfigchooseconfigconnect-timeoutconnecttimeoutcontinueconvert-file-onlyconvertfileonlyconvert-linksconvertlinkscontent-dispositioncontentdispositioncontent-on-errorcontentonerrorcookiescrl-filecrlfilecut-dirscutdirsdebugdefault-pagedefaultpagedelete-afterdeleteafterdirectoriesdirstructdirectory-prefixdirprefixdns-cachednscachedns-timeoutdnstimeoutdomainsdont-remove-listingdot-styledotstyleegd-fileegdfileexclude-directoriesexcludedirectoriesexclude-domainsexcludedomainsexecutefollow-ftpfollowftpfollow-tagsfollowtagsforce-directoriesforce-htmlforcehtmlftp-passwordftppasswordftp-userftpuserftps-clear-data-connectionftpscleardataconnectionftps-fallback-to-ftpftpsfallbacktoftpftps-implicitftpsimplicitftps-resume-sslftpsresumesslglobheaderhelphost-directoriesaddhostdirhstshsts-filehstsfilehtml-extensionhtmlifyhttp-keep-alivehttpkeepalivehttp-passwdhttppasswordhttp-passwordhttp-userhttpuserhttps-onlyhttpsonlyignore-caseignorecaseignore-lengthignorelengthignore-tagsignoretagsinclude-directoriesincludedirectoriesinet4-onlyinet4onlyinet6-onlyinet6onlyinput-fileinputinput-metalinkinputmetalinkirikeep-badhashkeepbadhashkeep-session-cookieskeepsessioncookieslevelreclevellimit-ratelimitrateload-cookiesloadcookieslocal-encodinglocalencodingrejected-logrejectedlogmax-redirectmaxredirectmetalink-indexmetalinkindexmetalink-over-httpmetalinkoverhttpmethodmirrornetrcnono-clobbernoclobberno-confignoconfigno-parentnoparentoutput-documentoutputdocumentoutput-filelogfilepage-requisitespagerequisitesparentpassive-ftppassiveftppasswordpinnedpubkeypost-datapostdatapost-filepostfileprefer-familypreferfamilypreferred-locationpreferredlocationpreserve-permissionspreservepermissionsprivate-keyprivatekeyprivate-key-typeprivatekeytypeprogressshow-progressshowprogressprotocol-directoriesprotocoldirectoriesproxyuseproxyproxy__compatproxy-passwdproxypasswordproxy-passwordproxy-userproxyuserquietquotarandom-filerandomfilerandom-waitrandomwaitread-timeoutreadtimeoutrecursiverefererregex-typeregextyperejectreject-regexrejectregexrelativerelativeonlyremote-encodingremoteencodingremove-listingremovelistingreport-speedreportspeedrestrict-file-namesrestrictfilenamesretr-symlinksretrsymlinksretry-connrefusedretryconnrefusedretry-on-http-errorretryonhttperrorsave-cookiessavecookiessave-headerssaveheaderssecure-protocolsecureprotocolserver-responseserverresponsespan-hostsspanhostsspiderstart-posstartposstrict-commentsstrictcommentstimeouttimestampingif-modified-sinceifmodifiedsincetriesunlinktrust-server-namestrustservernamesuse-askpassuseaskpassuse-server-timestampsuseservertimestampsuseruser-agentuseragentverbo
Source: Xr5XVue.exe	String found in binary or memory: dotCompression does not work with --continue or --start-pos, they will be disabled.
Source: Xr5XVue.exe	String found in binary or memory: -h, --help print this help
Source: Xr5XVue.exe	String found in binary or memory: -h, --help print this help
Source: Xr5XVue.exe	String found in binary or memory: --start-pos=OFFSET start downloading from zero-based position OFFSET
Source: Xr5XVue.exe	String found in binary or memory: --bind-address=ADDRESS bind to ADDRESS (hostname or IP) on local host
Source: Xr5XVue.exe	String found in binary or memory: WARC-IP-Address
Source: Xr5XVue.exe	String found in binary or memory: WARC-DateWARC-IP-Addresssha1:WARC-Block-DigestWARC-Payload-Digest%Y-%m-%dT%H:%M:%SZRpcrt4.dllUuidCreateUuidToStringARpcStringFreeA<urn:uuid:%s><urn:uuid:%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x>warcinfoWARC-Typeapplication/warc-fieldsContent-TypeWARC-Record-IDWARC-Filenamemingw32software: Wget/%s (%s)
Source: Xr5XVue.exe	String found in binary or memory: id-cmc-addExtensions
Source: Xr5XVue.exe	String found in binary or memory: set-addPolicy
Source: Xr5XVue.exe	String found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe "C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\start.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe" -O o9iQbd0.exe https://download.yandex.ru/yandex-pack/downloader/downloader.exe
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\start.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe" -O o9iQbd0.exe https://download.yandex.ru/yandex-pack/downloader/downloader.exe			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: aclayers.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: sfc_os.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: iconcodecservice.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: windowscodecs.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: riched32.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: riched20.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: usp10.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: msls31.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: textshaping.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: policymanager.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: msvcp110_win.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windowscodecs.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windowscodecsext.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mscms.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coloradapterclient.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iconcodecservice.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: icm32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mlang.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ieframe.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Section loaded: explorerframe.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Section loaded: wldp.dll			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Window found: window name: RichEdit

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Static file information: File size 2685976 > 1048576

Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wextract.pdb source: setup.exe
Source:	Binary string: wextract.pdbU source: setup.exe
Source:	Binary string: d:\Projects\WinRAR\SFX\build\sfxzip32\Release\sfxzip.pdb source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
Source:	Binary string: C:\BuildAgent\work\4a73c29f3c4e6ac\downloader\Release\downloader.pdb source: o9iQbd0.exe.4.dr

Data Obfuscation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Code function: 0_2_0040CC30 LoadLibraryA,LoadLibraryA,LoadLibraryA,#17,LoadLibraryA,GetProcAddress,FreeLibrary,SHGetMalloc,

0_2_0040CC30

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_6327046

Jump to behavior

Source: Xr5XVue.exe.0.dr

Static PE information: section name: /4

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe

Code function: 4_2_004E37B0 push eax; mov dword ptr [esp], ebx

4_2_004E3803

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\7z.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\7z.exe			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\o9iQbd0.exe			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\7z.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\7z.exe			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\o9iQbd0.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe

API coverage: 5.5 %

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Code function: 0_2_00404492 FindFirstFileW,GetLastError,FindNextFileW,GetLastError,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,		0_2_00404492
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Code function: 0_2_004097ED SendDlgItemMessageA,DestroyIcon,EndDialog,SetDlgItemTextA,SetDlgItemTextA,SHGetFileInfoA,SendDlgItemMessageA,FindFirstFileA,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatA,GetDateFormatA,wsprintfA,wsprintfA,SetDlgItemTextA,FindClose,wsprintfA,SetDlgItemTextA,SendDlgItemMessageA,DosDateTimeToFileTime,FileTimeToSystemTime,GetTimeFormatA,GetDateFormatA,wsprintfA,SetDlgItemTextA,wsprintfA,SetDlgItemTextA,		0_2_004097ED

Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Local\Temp\RarSFX0\img\			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Local\			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Local\Temp\			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Local\Temp\RarSFX0\			Jump to behavior

Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, 00000000.00000002.3325630626.00000000006A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ya
Source: mshta.exe, 00000002.00000002.3324628787.00000000032B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%
Source: Xr5XVue.exe, 00000004.00000002.2130409199.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	API call chain: ExitProcess graph end node

Anti Debugging

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Code function: 0_2_0040CC30 LoadLibraryA,LoadLibraryA,LoadLibraryA,#17,LoadLibraryA,GetProcAddress,FreeLibrary,SHGetMalloc,

0_2_0040CC30

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Code function: 0_2_00408A5F GetProcessHeap,RtlAllocateHeap,

0_2_00408A5F

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe

Code function: 4_2_004011FD SetUnhandledExceptionFilter,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,exit,

4_2_004011FD

Source: C:\Windows\SysWOW64\mshta.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\start.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe" -O o9iQbd0.exe https://download.yandex.ru/yandex-pack/downloader/downloader.exe			Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe

Code function: 4_2_005974A0 cpuid

4_2_005974A0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Code function: GetLocaleInfoA,

0_2_004091C2

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\o9iQbd0.exe VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe

Code function: 4_2_0066F740 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

4_2_0066F740

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe

Code function: 4_2_00670C30 GetTimeZoneInformation,GetSystemTimeAsFileTime,

4_2_00670C30

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Code function: 0_2_004050C9 lstrlenA,GlobalAlloc,GetVersionExA,MultiByteToWideChar,WideCharToMultiByte,CreateStreamOnHGlobal,

0_2_004050C9

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Remote Access Functionality

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00461409 _errno,bind,		4_2_00461409
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00466CC5 _errno,listen,		4_2_00466CC5