Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1522729
MD5: d059de04a3a3332380335593782c6623
SHA1: 0986639f0dda7184b816dfecf738c7064f399d48
SHA256: 77090d1dc1644653d318a6de50c7d614113e58b8e0b320bc94d0edddcc067432
Tags: exeuser-jstrosch
Infos:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for sample
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
PE file overlay found
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe ReversingLabs: Detection: 30%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 68%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 84.9% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004053D0 DeleteFileA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004053D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00405DDF FindFirstFileA,FindClose, 0_2_00405DDF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402684 FindFirstFileA, 0_2_00402684
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00451C48 FindFirstFileA,GetLastError, 3_2_00451C48
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00462C34 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 3_2_00462C34
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_004630B0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 3_2_004630B0
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_004616A8 FindFirstFileA,FindNextFileA,FindClose, 3_2_004616A8
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_004737F4 FindFirstFileA,FindNextFileA,FindClose, 3_2_004737F4
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00495D6C FindFirstFileA,6D1682A0,FindNextFileA,FindClose, 3_2_00495D6C
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Temp\nsi2AC5.tmp\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Temp\nsi2AC5.tmp\SelfDel.dll Jump to behavior
Source: Youbak_MSN_PARTNER2036.exe, 00000002.00000003.1410581975.0000000001F61000.00000004.00001000.00020000.00000000.sdmp, Youbak_MSN_PARTNER2036.exe, 00000002.00000003.1410461810.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, Youbak_MSN_PARTNER2036.exe, 00000002.00000003.1414237770.0000000001F61000.00000004.00001000.00020000.00000000.sdmp, Youbak_MSN_PARTNER2036.tmp, 00000003.00000003.1413320314.00000000021E8000.00000004.00001000.00020000.00000000.sdmp, Youbak_MSN_PARTNER2036.tmp, 00000003.00000003.1413350798.000000000221C000.00000004.00001000.00020000.00000000.sdmp, Youbak_MSN_PARTNER2036.tmp, 00000003.00000003.1413025183.0000000002214000.00000004.00001000.00020000.00000000.sdmp, Youbak_MSN_PARTNER2036.tmp, 00000003.00000003.1413288845.0000000002204000.00000004.00001000.00020000.00000000.sdmp, Youbak_MSN_PARTNER2036.tmp, 00000003.00000003.1412703141.00000000021E8000.00000004.00001000.00020000.00000000.sdmp, Youbak_MSN_PARTNER2036.tmp, 00000003.00000003.1413084543.0000000002218000.00000004.00001000.00020000.00000000.sdmp, Youbak_MSN_PARTNER2036.tmp, 00000003.00000003.1412630705.0000000003100000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://msn.youbak.com
Source: Youbak_MSN_PARTNER2036.exe, 00000002.00000003.1410461810.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, Youbak_MSN_PARTNER2036.tmp, 00000003.00000003.1412630705.0000000003100000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://msn.youbak.com#
Source: Youbak_MSN_PARTNER2036.exe, 00000002.00000003.1410581975.0000000001F61000.00000004.00001000.00020000.00000000.sdmp, Youbak_MSN_PARTNER2036.exe, 00000002.00000003.1414237770.0000000001F61000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://msn.youbak.com2
Source: file.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: file.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Youbak_MSN_PARTNER2036.tmp, Youbak_MSN_PARTNER2036.tmp, 00000003.00000000.1411540739.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Youbak_MSN_PARTNER2036.tmp.2.dr String found in binary or memory: http://www.innosetup.com/
Source: Youbak_MSN_PARTNER2036.exe, 00000002.00000003.1411073569.0000000001F68000.00000004.00001000.00020000.00000000.sdmp, Youbak_MSN_PARTNER2036.exe, 00000002.00000003.1410907677.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, Youbak_MSN_PARTNER2036.tmp, Youbak_MSN_PARTNER2036.tmp, 00000003.00000000.1411540739.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Youbak_MSN_PARTNER2036.tmp.2.dr String found in binary or memory: http://www.remobjects.com/ps
Source: Youbak_MSN_PARTNER2036.exe, 00000002.00000003.1411073569.0000000001F68000.00000004.00001000.00020000.00000000.sdmp, Youbak_MSN_PARTNER2036.exe, 00000002.00000003.1410907677.00000000021D0000.00000004.00001000.00020000.00000000.sdmp, Youbak_MSN_PARTNER2036.tmp, 00000003.00000000.1411540739.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Youbak_MSN_PARTNER2036.tmp.2.dr String found in binary or memory: http://www.remobjects.com/psU
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00404F66 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404F66
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00423AF4 NtdllDefWindowProc_A, 3_2_00423AF4
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00456060 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A, 3_2_00456060
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00412548 NtdllDefWindowProc_A, 3_2_00412548
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00476D78 NtdllDefWindowProc_A, 3_2_00476D78
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_0042F000 NtdllDefWindowProc_A, 3_2_0042F000
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_0042E6A0: 6D1674B0,DeviceIoControl,GetLastError,CloseHandle,SetLastError, 3_2_0042E6A0
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00403121 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_00403121
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Code function: 2_2_004093A8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 2_2_004093A8
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00454680 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 3_2_00454680
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00404747 0_2_00404747
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004060FD 0_2_004060FD
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Code function: 2_2_0040836C 2_2_0040836C
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_0047E6EB 3_2_0047E6EB
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_0048B890 3_2_0048B890
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_0045E038 3_2_0045E038
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_0045A0E0 3_2_0045A0E0
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_004662DC 3_2_004662DC
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00468354 3_2_00468354
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00484654 3_2_00484654
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00444628 3_2_00444628
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00434788 3_2_00434788
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_004309C8 3_2_004309C8
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00444A34 3_2_00444A34
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00450BA4 3_2_00450BA4
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_0046F128 3_2_0046F128
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_0043D210 3_2_0043D210
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00485588 3_2_00485588
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00443988 3_2_00443988
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00433A84 3_2_00433A84
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_0042FE3C 3_2_0042FE3C
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00443F30 3_2_00443F30
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\is-3T87F.tmp\_isetup\_RegDLL.tmp 4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: String function: 00405964 appears 106 times
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: String function: 00406A2C appears 38 times
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: String function: 0043399C appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: String function: 004567E0 appears 95 times
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: String function: 00403400 appears 59 times
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: String function: 00445564 appears 59 times
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: String function: 0045252C appears 90 times
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: String function: 0040785C appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: String function: 00408B74 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: String function: 00403494 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: String function: 004569EC appears 70 times
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: String function: 00403684 appears 215 times
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: String function: 00445294 appears 45 times
PE file contains executable resources (Code or Archives)
Source: Youbak_MSN_PARTNER2036.exe.0.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: Youbak_MSN_PARTNER2036.tmp.2.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Youbak_MSN_PARTNER2036.tmp.2.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: Youbak_MSN_PARTNER2036.tmp.2.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: Youbak_MSN_PARTNER2036.tmp.2.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: Youbak_MSN_PARTNER2036.tmp.2.dr Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
PE file overlay found
Source: SelfDel.dll.0.dr Static PE information: Data appended to the last section found
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: _RegDLL.tmp.3.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SelfDel.dll.0.dr Static PE information: Section: .reloc ZLIB complexity 1.0891089108910892
Source: classification engine Classification label: mal72.winEXE@5/6@0/0
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Code function: 2_2_004093A8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 2_2_004093A8
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00454680 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 3_2_00454680
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00404232 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,GetDiskFreeSpaceA,MulDiv, 0_2_00404232
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402067 CoCreateInstance,MultiByteToWideChar, 0_2_00402067
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Code function: 2_2_00409B0C FindResourceA,SizeofResource,LoadResource,LockResource, 2_2_00409B0C
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\nsy299C.tmp Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: file.exe ReversingLabs: Detection: 68%
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe /VERYSILENT /SP- /NORESTART
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Process created: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp "C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp" /SL5="$20468,737659,54272,C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe" /VERYSILENT /SP- /NORESTART
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe /VERYSILENT /SP- /NORESTART Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Process created: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp "C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp" /SL5="$20468,737659,54272,C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe" /VERYSILENT /SP- /NORESTART Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00405E06 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405E06
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Code function: 2_2_00406518 push 00406555h; ret 2_2_0040654D
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Code function: 2_2_00408064 push ecx; mov dword ptr [esp], eax 2_2_00408069
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Code function: 2_2_004040B5 push eax; ret 2_2_004040F1
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Code function: 2_2_00404185 push 00404391h; ret 2_2_00404389
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Code function: 2_2_00404206 push 00404391h; ret 2_2_00404389
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Code function: 2_2_0040C218 push eax; ret 2_2_0040C219
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Code function: 2_2_004042E8 push 00404391h; ret 2_2_00404389
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Code function: 2_2_00404283 push 00404391h; ret 2_2_00404389
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Code function: 2_2_00408E98 push 00408ECBh; ret 2_2_00408EC3
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_004098B4 push 004098F1h; ret 3_2_004098E9
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_004062CC push ecx; mov dword ptr [esp], eax 3_2_004062CD
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_004582F4 push 00458338h; ret 3_2_00458330
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00410640 push ecx; mov dword ptr [esp], edx 3_2_00410645
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_0040A6C8 push esp; retf 3_2_0040A6D1
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00492898 push ecx; mov dword ptr [esp], ecx 3_2_0049289D
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00412898 push 004128FBh; ret 3_2_004128F3
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00442900 push ecx; mov dword ptr [esp], ecx 3_2_00442904
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_004509E0 push 00450A13h; ret 3_2_00450A0B
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00456A88 push 00456AC0h; ret 3_2_00456AB8
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00450BA4 push ecx; mov dword ptr [esp], eax 3_2_00450BA9
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_0045EC90 push ecx; mov dword ptr [esp], ecx 3_2_0045EC94
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00482EFC push ecx; mov dword ptr [esp], ecx 3_2_00482F01
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_0040CF98 push ecx; mov dword ptr [esp], edx 3_2_0040CF9A
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_0040546D push eax; ret 3_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_0040F4F8 push ecx; mov dword ptr [esp], edx 3_2_0040F4FA
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_0040553D push 00405749h; ret 3_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_004055BE push 00405749h; ret 3_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_0040563B push 00405749h; ret 3_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_004056A0 push 00405749h; ret 3_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_004818A8 push 00481986h; ret 3_2_0048197E
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00419B98 push ecx; mov dword ptr [esp], ecx 3_2_00419B9D
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp File created: C:\Users\user\AppData\Local\Temp\is-3T87F.tmp\_isetup\_RegDLL.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp File created: C:\Users\user\AppData\Local\Temp\is-3T87F.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp File created: C:\Users\user\AppData\Local\Temp\is-3T87F.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe File created: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\nsi2AC5.tmp\SelfDel.dll Jump to dropped file
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00423B7C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 3_2_00423B7C
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00423B7C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 3_2_00423B7C
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_0042414C IsIconic,SetActiveWindow,SetFocus, 3_2_0042414C
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00424104 IsIconic,SetActiveWindow, 3_2_00424104
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_004182F4 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 3_2_004182F4
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_004227CC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 3_2_004227CC
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00481264 IsIconic,GetWindowLongA,ShowWindow,ShowWindow, 3_2_00481264
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00417508 IsIconic,GetCapture, 3_2_00417508
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00417C40 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 3_2_00417C40
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00417C3E IsIconic,SetWindowPos, 3_2_00417C3E
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3T87F.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3T87F.tmp\_isetup\_RegDLL.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3T87F.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsi2AC5.tmp\SelfDel.dll Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Evasive API call chain: GetSystemTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp API coverage: 9.1 %
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004053D0 DeleteFileA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004053D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00405DDF FindFirstFileA,FindClose, 0_2_00405DDF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402684 FindFirstFileA, 0_2_00402684
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00451C48 FindFirstFileA,GetLastError, 3_2_00451C48
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00462C34 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 3_2_00462C34
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_004630B0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 3_2_004630B0
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_004616A8 FindFirstFileA,FindNextFileA,FindClose, 3_2_004616A8
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_004737F4 FindFirstFileA,FindNextFileA,FindClose, 3_2_004737F4
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00495D6C FindFirstFileA,6D1682A0,FindNextFileA,FindClose, 3_2_00495D6C
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Code function: 2_2_00409A50 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery, 2_2_00409A50
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Temp\nsi2AC5.tmp\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Temp\nsi2AC5.tmp\SelfDel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00405E06 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405E06
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_004767BC ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle, 3_2_004767BC
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_0045BB2C GetVersion,GetModuleHandleA,6D166DE0,6D166DE0,6D166DE0,AllocateAndInitializeSid,GetLastError,LocalFree, 3_2_0045BB2C
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Code function: GetLocaleInfoA, 2_2_0040515C
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Code function: GetLocaleInfoA, 2_2_004051A8
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: GetLocaleInfoA, 3_2_004084D0
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: GetLocaleInfoA, 3_2_0040851C
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_004575EC GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,6D1674B0,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle, 3_2_004575EC
Source: C:\Users\user\AppData\Local\Temp\Youbak_MSN_PARTNER2036.exe Code function: 2_2_004026C4 GetSystemTime, 2_2_004026C4
Source: C:\Users\user\AppData\Local\Temp\is-K5V3G.tmp\Youbak_MSN_PARTNER2036.tmp Code function: 3_2_00454638 GetUserNameA, 3_2_00454638
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00405AEE GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree, 0_2_00405AEE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1522729 Sample: file.exe Startdate: 30/09/2024 Architecture: WINDOWS Score: 72 29 Antivirus / Scanner detection for submitted sample 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 Machine Learning detection for sample 2->33 35 AI detected suspicious sample 2->35 7 file.exe 17 2->7         started        process3 file4 17 C:\Users\user\AppData\Local\...\SelfDel.dll, PE32 7->17 dropped 19 C:\Users\user\...\Youbak_MSN_PARTNER2036.exe, PE32 7->19 dropped 10 Youbak_MSN_PARTNER2036.exe 2 7->10         started        process5 file6 21 C:\Users\user\...\Youbak_MSN_PARTNER2036.tmp, PE32 10->21 dropped 37 Multi AV Scanner detection for dropped file 10->37 14 Youbak_MSN_PARTNER2036.tmp 5 10->14         started        signatures7 process8 file9 23 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 14->23 dropped 25 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 14->25 dropped 27 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 14->27 dropped
No contacted IP infos