Windows Analysis Report
startswinstall.exe

Overview

General Information

Sample name: startswinstall.exe
Analysis ID: 1528044
MD5: f01c08e45eb4832131baae55d52fdf22
SHA1: 74378a7dba31d7114a5d2eacc772e6290f5067ab
SHA256: 362689dd85da2ad70f9d47a156ed0284ff40db0fbb783d658f8c7f901287f064
Infos:

Detection

Score: 19
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Signatures

AI detected suspicious sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Potential key logger detected (key state polling based)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 85.9% probability
Uses 32bit PE files
Source: startswinstall.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: startswinstall.exe Static PE information: certificate valid
Source: startswinstall.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\am\i386\WinRelNET\sldim\startswinstall.pdbZ source: startswinstall.exe
Source: Binary string: C:\am\i386\WinRelNET\sldim\startswinstall.pdb source: startswinstall.exe
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 0_2_0024D9D5 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose, 0_2_0024D9D5
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 3_2_0024D9D5 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose, 3_2_0024D9D5
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: 198.187.3.20.in-addr.arpa replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
Source: startswinstall.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: startswinstall.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: startswinstall.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: startswinstall.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: startswinstall.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: startswinstall.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: startswinstall.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: startswinstall.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: startswinstall.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: startswinstall.exe String found in binary or memory: http://ocsp.digicert.com0
Source: startswinstall.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: startswinstall.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: startswinstall.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: startswinstall.exe String found in binary or memory: http://www.digicert.com/CPS0
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 0_2_002753EF GetAsyncKeyState,GetAsyncKeyState,SendMessageW, 0_2_002753EF
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 0_2_00270152 MessageBeep,SendMessageW,SendMessageW,SendMessageW,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW, 0_2_00270152
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 3_2_00270152 MessageBeep,SendMessageW,SendMessageW,SendMessageW,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW, 3_2_00270152
Detected potential crypto function
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 0_2_0039C131 0_2_0039C131
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 0_2_0039E317 0_2_0039E317
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 0_2_002773F5 0_2_002773F5
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 0_2_0038F500 0_2_0038F500
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 0_2_002655F4 0_2_002655F4
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 0_2_0039DB1D 0_2_0039DB1D
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 0_2_002B0BD0 0_2_002B0BD0
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 0_2_0039DC3D 0_2_0039DC3D
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 0_2_00385CF7 0_2_00385CF7
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 0_2_00296DB1 0_2_00296DB1
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 0_2_00385F5C 0_2_00385F5C
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 0_2_00282F9D 0_2_00282F9D
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 0_2_0025AF9F 0_2_0025AF9F
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 3_2_0039C131 3_2_0039C131
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 3_2_0039E317 3_2_0039E317
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 3_2_002773F5 3_2_002773F5
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 3_2_0038F500 3_2_0038F500
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 3_2_002655F4 3_2_002655F4
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 3_2_0039DB1D 3_2_0039DB1D
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 3_2_002B0BD0 3_2_002B0BD0
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 3_2_0039DC3D 3_2_0039DC3D
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 3_2_00385CF7 3_2_00385CF7
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 3_2_00296DB1 3_2_00296DB1
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 3_2_00385F5C 3_2_00385F5C
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 3_2_00282F9D 3_2_00282F9D
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 3_2_0025AF9F 3_2_0025AF9F
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\startswinstall.exe Code function: String function: 0037FC60 appears 91 times
Source: C:\Users\user\Desktop\startswinstall.exe Code function: String function: 0037F9B4 appears 80 times
Source: C:\Users\user\Desktop\startswinstall.exe Code function: String function: 0037F980 appears 229 times
Uses 32bit PE files
Source: startswinstall.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: clean19.winEXE@6/3@1/0
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 0_2_0024F022 CoInitialize,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance, 0_2_0024F022
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 0_2_00241CB0 FindResourceW,LoadResource,LockResource,SizeofResource, 0_2_00241CB0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3712:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6180:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5564:120:WilError_03
Source: startswinstall.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\startswinstall.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: startswinstall.exe String found in binary or memory: <StopOnError>0</StopOnError>
Source: startswinstall.exe String found in binary or memory: <StopOnError>0</StopOnError>
Source: startswinstall.exe String found in binary or memory: <StopOnCancel>0</StopOnCancel>
Source: startswinstall.exe String found in binary or memory: <StopOnCancel>0</StopOnCancel>
Source: unknown Process created: C:\Users\user\Desktop\startswinstall.exe "C:\Users\user\Desktop\startswinstall.exe" -install
Source: C:\Users\user\Desktop\startswinstall.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Desktop\startswinstall.exe "C:\Users\user\Desktop\startswinstall.exe" /install
Source: C:\Users\user\Desktop\startswinstall.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Desktop\startswinstall.exe "C:\Users\user\Desktop\startswinstall.exe" /load
Source: C:\Users\user\Desktop\startswinstall.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: ndfapi.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: wdi.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: ndfapi.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: wdi.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: ndfapi.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: wdi.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Automated click: OK
Source: C:\Users\user\Desktop\startswinstall.exe Automated click: OK
Source: C:\Users\user\Desktop\startswinstall.exe Automated click: OK
Source: startswinstall.exe Static PE information: certificate valid
Source: startswinstall.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: startswinstall.exe Static file information: File size 1989960 > 1048576
Source: startswinstall.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x16ce00
Source: startswinstall.exe Static PE information: More than 200 imports for USER32.dll
Source: startswinstall.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: startswinstall.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: startswinstall.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: startswinstall.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: startswinstall.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: startswinstall.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: startswinstall.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: startswinstall.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\am\i386\WinRelNET\sldim\startswinstall.pdbZ source: startswinstall.exe
Source: Binary string: C:\am\i386\WinRelNET\sldim\startswinstall.pdb source: startswinstall.exe
Source: startswinstall.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: startswinstall.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: startswinstall.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: startswinstall.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: startswinstall.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 0_2_0037F949 push ecx; ret 0_2_0037F95C
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 3_2_0037F949 push ecx; ret 3_2_0037F95C
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 0_2_00298EA9 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow, 0_2_00298EA9
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 3_2_0029852C __EH_prolog3_GS,GetParent,GetParent,UpdateWindow,SetCursor,GetAsyncKeyState,InvalidateRect,InflateRect,RedrawWindow,InvalidateRect,InflateRect,UpdateWindow,InflateRect,SetCapture,SetCursor,IsWindow,GetCursorPos,ScreenToClient,PtInRect,RedrawWindow,GetParent,GetParent,RedrawWindow,RedrawWindow,GetParent,GetParent,GetParent,InvalidateRect,UpdateWindow,UpdateWindow,NotifyWinEvent,NotifyWinEvent,SetCapture,RedrawWindow,SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow, 3_2_0029852C
Source: C:\Users\user\Desktop\startswinstall.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\startswinstall.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\startswinstall.exe API coverage: 4.0 %
Source: C:\Users\user\Desktop\startswinstall.exe API coverage: 4.5 %
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 0_2_0024D9D5 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose, 0_2_0024D9D5
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 3_2_0024D9D5 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose, 3_2_0024D9D5
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 0_2_00386B83 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00386B83
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 0_2_00249FFC OutputDebugStringA,GetLastError, 0_2_00249FFC
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 0_2_00391D0F mov eax, dword ptr fs:[00000030h] 0_2_00391D0F
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 0_2_00397EA5 mov eax, dword ptr fs:[00000030h] 0_2_00397EA5
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 3_2_00391D0F mov eax, dword ptr fs:[00000030h] 3_2_00391D0F
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 3_2_00397EA5 mov eax, dword ptr fs:[00000030h] 3_2_00397EA5
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 0_2_0037FA5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0037FA5C
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 0_2_00386B83 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00386B83
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 3_2_0037FA5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_0037FA5C
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 3_2_00386B83 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00386B83
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\startswinstall.exe Code function: GetModuleHandleW,GetProcAddress,EncodePointer,DecodePointer,GetLocaleInfoW, 0_2_00250F0A
Source: C:\Users\user\Desktop\startswinstall.exe Code function: GetModuleHandleW,GetProcAddress,EncodePointer,DecodePointer,GetLocaleInfoW, 3_2_00250F0A
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 0_2_0038063C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_0038063C
Source: C:\Users\user\Desktop\startswinstall.exe Code function: 0_2_0039799C _free,_free,_free,GetTimeZoneInformation,_free, 0_2_0039799C
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528044 Sample: startswinstall.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 19 19 198.187.3.20.in-addr.arpa 2->19 21 AI detected suspicious sample 2->21 7 startswinstall.exe 1 2 2->7         started        9 startswinstall.exe 2 2->9         started        11 startswinstall.exe 2 2->11         started        signatures3 process4 process5 13 conhost.exe 7->13         started        15 conhost.exe 9->15         started        17 conhost.exe 11->17         started       
No contacted IP infos

Contacted Domains

Name IP Active
198.187.3.20.in-addr.arpa unknown unknown