Windows Analysis Report
SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe
Analysis ID:	1532473
MD5:	8c18150421977fe4528204b8095469d1
SHA1:	f69137f7558d0953879378b91b58914507df75a8
SHA256:	c45f5f52bbcfbb3540aab96ecf76b14df72f3c82f917cb368c23cbf0a92eaaca
Tags:	exe
Infos:

Detection

Score:	36
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Compliance

Score:	32
Range:	0 - 100

Signatures

Multi AV Scanner detection for submitted file

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

EXE planting / hijacking vulnerabilities found

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Virustotal: Detection: 14%

Perma Link

Cryptography

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe, 00000000.00000000.1719627148.00000000013F4000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_18794f72-a

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

EXE: C:\Users\user\Desktop\setup.exe

Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

EXE: C:\Users\user\Desktop\setup.exe

Jump to behavior

Uses 32bit PE files

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: c:\nullsoft\nsis_winamp\Release\nsis_winamp.pdb source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr

Spreading

Source: C:\Users\user\Desktop\setup.exe	Code function: 1_2_00406436 FindFirstFileW,FindClose,	1_2_00406436
Source: C:\Users\user\Desktop\setup.exe	Code function: 1_2_00406DFC DeleteFileW,CloseHandle,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00406DFC
Source: C:\Users\user\Desktop\setup.exe	Code function: 1_2_00402E18 FindFirstFileW,	1_2_00402E18

Networking

Source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr

String found in binary or memory: ping -n 1 -w 400 www.yahoo.comonlineno connection equals www.yahoo.com (Yahoo)

Source: setup.exe.0.dr	String found in binary or memory: http://crl.aol.com/AOL/MasterCRL.crl0
Source: setup.exe.0.dr	String found in binary or memory: http://crl.aol.com/AOLMSPKI/aolCodeSign.crl0
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: setup.exe.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: nsiB2D7.tmp.1.dr	String found in binary or memory: http://dev.winamp.com/wiki/Main_Page
Source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	String found in binary or memory: http://download.nullsoft.com/redist/dx/d3dx9_31_42_x86_embed.exed3dx9_31.dll
Source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	String found in binary or memory: http://download.nullsoft.com/redist/dx/dxwebsetup.exed3dx9_42.dll
Source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	String found in binary or memory: http://download.nullsoft.com/redist/wm/wmfdist95.exe3287http://download.nullsoft.com/redist/wm/wmfdi
Source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	String found in binary or memory: http://forums.winamp.comURLUpdateInfo5.66
Source: nsiB2D7.tmp.1.dr	String found in binary or memory: http://lyricsplugin.com
Source: nsiB2D7.tmp.1.dr	String found in binary or memory: http://mp3licensing.com
Source: setup.exe, 00000001.00000000.1750300204.0000000000408000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmp, setup.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: http://ocsp.sectigo.com0M
Source: setup.exe.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: setup.exe.0.dr	String found in binary or memory: http://ocsp.web.aol.com:80/ocsp0
Source: setup.exe.0.dr	String found in binary or memory: http://pki-info.aol.com/AOLMSPKI/index.html0
Source: setup.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: setup.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: setup.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: setup.exe.0.dr	String found in binary or memory: http://www.winamp.com
Source: setup.exe, 00000001.00000000.1750690873.0000000000678000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, setup.exe.0.dr, nsiB2D7.tmp.1.dr	String found in binary or memory: http://www.winamp.com/
Source: nsiB2D7.tmp.1.dr	String found in binary or memory: http://www.winamp.com/download
Source: nsiB2D7.tmp.1.dr	String found in binary or memory: http://www.winamp.com/legal/cloud
Source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	String found in binary or memory: http://www.winamp.com/legal/eula/pc0x3FF0x02
Source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	String found in binary or memory: http://www.winamp.com/legal/eula/pcopen
Source: nsiB2D7.tmp.1.dr	String found in binary or memory: http://www.winamp.com/legal/privacy
Source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	String found in binary or memory: http://www.winamp.com/open
Source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	String found in binary or memory: http://www.winamp.comPublisherVersionMajorVersionMinorNoRepairNoModifyModifyPathInstallLocationDispl
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: https://curl.se/docs/hsts.html
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: setup.exe.0.dr	String found in binary or memory: https://pki-info.aol.com/AOL/index.html05
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: https://sectigo.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\setup.exe

Code function: 1_2_0040522D GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_0040522D

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\setup.exe

Code function: 1_2_00404605 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

1_2_00404605

System Summary

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\setup.exe

Code function: 1_2_004039E3 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,

1_2_004039E3

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Code function: 0_2_00DE1170	0_2_00DE1170
Source: C:\Users\user\Desktop\setup.exe	Code function: 1_2_0040761C	1_2_0040761C
Source: C:\Users\user\Desktop\setup.exe	Code function: 1_2_00407033	1_2_00407033
Source: C:\Users\user\Desktop\setup.exe	Code function: 1_2_00404ADC	1_2_00404ADC

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\setup.exe

Code function: String function: 00406404 appears 57 times

Uses 32bit PE files

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: sus36.winEXE@3/7@0/0

Source: C:\Users\user\Desktop\setup.exe

1_2_00404605

Source: C:\Users\user\Desktop\setup.exe

Code function: 1_2_004024FB CoCreateInstance,

1_2_004024FB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

File created: C:\Users\user\Desktop\setup.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

File created: C:\Users\user\AppData\Local\Temp\7zS4AA59CC2

Jump to behavior

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Virustotal: Detection: 14%

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExW\/AddDllDirectoryh1h2h3%10s %512s %u %10s %512s %u "%64[^"]" %u %urt%s %s%s%s %u %s %s%s%s %u "%d%02d%02d %02d:%02d:%02d" %u %d

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe "C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\Setup.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: msls31.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static file information: File size 69456728 > 1048576

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x613000

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: c:\nullsoft\nsis_winamp\Release\nsis_winamp.pdb source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\setup.exe

Code function: 1_2_0040645D GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_0040645D

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Code function: 0_2_0137A5E0 push ecx; ret

0_2_0137A5F3

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	File created: C:\Users\user\Desktop\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsiB326.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsiB326.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsiB326.tmp\LangDLL.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiB326.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiB326.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiB326.tmp\LangDLL.dll	Jump to dropped file

Source: C:\Users\user\Desktop\setup.exe	Code function: 1_2_00406436 FindFirstFileW,FindClose,	1_2_00406436
Source: C:\Users\user\Desktop\setup.exe	Code function: 1_2_00406DFC DeleteFileW,CloseHandle,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00406DFC
Source: C:\Users\user\Desktop\setup.exe	Code function: 1_2_00402E18 FindFirstFileW,	1_2_00402E18

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe, 00000000.00000002.1752589497.0000000003710000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD0
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe, 00000000.00000003.1751240027.0000000000C85000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Cm

Source: C:\Users\user\Desktop\setup.exe

API call chain: ExitProcess graph end node

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Code function: 0_2_013D2EAC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_013D2EAC

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\setup.exe

Code function: 1_2_0040645D GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_0040645D

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Code function: 0_2_013D73A0 mov eax, dword ptr fs:[00000030h]

0_2_013D73A0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\setup.exe

Code function: 1_2_6CEB188A CreateControl,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,GetProcessHeap,HeapReAlloc,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,CreateWindowExW,SetPropW,SendMessageW,SendMessageW,SendMessageW,SetWindowLongW,GetProcessHeap,RtlFreeHeap,

1_2_6CEB188A

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Code function: 0_2_013D2EAC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_013D2EAC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Code function: 0_2_0137A955 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_0137A955

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\Setup.exe"

Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Code function: 0_2_0137B767 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0137B767

Source: C:\Users\user\Desktop\setup.exe

Code function: 1_2_00406966 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

1_2_00406966

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Virustotal: Detection: 14%

Perma Link

Cryptography

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe, 00000000.00000000.1719627148.00000000013F4000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_18794f72-a

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

EXE: C:\Users\user\Desktop\setup.exe

Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

EXE: C:\Users\user\Desktop\setup.exe

Jump to behavior

Uses 32bit PE files

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: c:\nullsoft\nsis_winamp\Release\nsis_winamp.pdb source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr

Spreading

Source: C:\Users\user\Desktop\setup.exe	Code function: 1_2_00406436 FindFirstFileW,FindClose,	1_2_00406436
Source: C:\Users\user\Desktop\setup.exe	Code function: 1_2_00406DFC DeleteFileW,CloseHandle,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00406DFC
Source: C:\Users\user\Desktop\setup.exe	Code function: 1_2_00402E18 FindFirstFileW,	1_2_00402E18

Networking

String found in binary or memory: ping -n 1 -w 400 www.yahoo.comonlineno connection equals www.yahoo.com (Yahoo)

Source: setup.exe.0.dr	String found in binary or memory: http://crl.aol.com/AOL/MasterCRL.crl0
Source: setup.exe.0.dr	String found in binary or memory: http://crl.aol.com/AOLMSPKI/aolCodeSign.crl0
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: setup.exe.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: nsiB2D7.tmp.1.dr	String found in binary or memory: http://dev.winamp.com/wiki/Main_Page
Source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	String found in binary or memory: http://download.nullsoft.com/redist/dx/d3dx9_31_42_x86_embed.exed3dx9_31.dll
Source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	String found in binary or memory: http://download.nullsoft.com/redist/dx/dxwebsetup.exed3dx9_42.dll
Source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	String found in binary or memory: http://download.nullsoft.com/redist/wm/wmfdist95.exe3287http://download.nullsoft.com/redist/wm/wmfdi
Source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	String found in binary or memory: http://forums.winamp.comURLUpdateInfo5.66
Source: nsiB2D7.tmp.1.dr	String found in binary or memory: http://lyricsplugin.com
Source: nsiB2D7.tmp.1.dr	String found in binary or memory: http://mp3licensing.com
Source: setup.exe, 00000001.00000000.1750300204.0000000000408000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000001.00000002.2961693223.0000000000408000.00000002.00000001.01000000.00000006.sdmp, setup.exe.0.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: http://ocsp.sectigo.com0M
Source: setup.exe.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: setup.exe.0.dr	String found in binary or memory: http://ocsp.web.aol.com:80/ocsp0
Source: setup.exe.0.dr	String found in binary or memory: http://pki-info.aol.com/AOLMSPKI/index.html0
Source: setup.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: setup.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: setup.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: setup.exe.0.dr	String found in binary or memory: http://www.winamp.com
Source: setup.exe, 00000001.00000000.1750690873.0000000000678000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, setup.exe.0.dr, nsiB2D7.tmp.1.dr	String found in binary or memory: http://www.winamp.com/
Source: nsiB2D7.tmp.1.dr	String found in binary or memory: http://www.winamp.com/download
Source: nsiB2D7.tmp.1.dr	String found in binary or memory: http://www.winamp.com/legal/cloud
Source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	String found in binary or memory: http://www.winamp.com/legal/eula/pc0x3FF0x02
Source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	String found in binary or memory: http://www.winamp.com/legal/eula/pcopen
Source: nsiB2D7.tmp.1.dr	String found in binary or memory: http://www.winamp.com/legal/privacy
Source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	String found in binary or memory: http://www.winamp.com/open
Source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2962665921.0000000002B42000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr	String found in binary or memory: http://www.winamp.comPublisherVersionMajorVersionMinorNoRepairNoModifyModifyPathInstallLocationDispl
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: https://curl.se/docs/hsts.html
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: setup.exe.0.dr	String found in binary or memory: https://pki-info.aol.com/AOL/index.html05
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	String found in binary or memory: https://sectigo.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\setup.exe

1_2_0040522D

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\setup.exe

1_2_00404605

System Summary

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\setup.exe

1_2_004039E3

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Code function: 0_2_00DE1170	0_2_00DE1170
Source: C:\Users\user\Desktop\setup.exe	Code function: 1_2_0040761C	1_2_0040761C
Source: C:\Users\user\Desktop\setup.exe	Code function: 1_2_00407033	1_2_00407033
Source: C:\Users\user\Desktop\setup.exe	Code function: 1_2_00404ADC	1_2_00404ADC

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\setup.exe

Code function: String function: 00406404 appears 57 times

Uses 32bit PE files

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: sus36.winEXE@3/7@0/0

Source: C:\Users\user\Desktop\setup.exe

1_2_00404605

Source: C:\Users\user\Desktop\setup.exe

Code function: 1_2_004024FB CoCreateInstance,

1_2_004024FB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

File created: C:\Users\user\Desktop\setup.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

File created: C:\Users\user\AppData\Local\Temp\7zS4AA59CC2

Jump to behavior

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Virustotal: Detection: 14%

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe "C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\Setup.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: msls31.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static file information: File size 69456728 > 1048576

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x613000

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: c:\nullsoft\nsis_winamp\Release\nsis_winamp.pdb source: setup.exe, 00000001.00000002.2962784724.0000000002D47000.00000004.00000020.00020000.00000000.sdmp, nsiB2D7.tmp.1.dr

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\setup.exe

Code function: 1_2_0040645D GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_0040645D

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Code function: 0_2_0137A5E0 push ecx; ret

0_2_0137A5F3

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	File created: C:\Users\user\Desktop\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsiB326.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsiB326.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsiB326.tmp\LangDLL.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiB326.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiB326.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsiB326.tmp\LangDLL.dll	Jump to dropped file

Source: C:\Users\user\Desktop\setup.exe	Code function: 1_2_00406436 FindFirstFileW,FindClose,	1_2_00406436
Source: C:\Users\user\Desktop\setup.exe	Code function: 1_2_00406DFC DeleteFileW,CloseHandle,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00406DFC
Source: C:\Users\user\Desktop\setup.exe	Code function: 1_2_00402E18 FindFirstFileW,	1_2_00402E18

Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe, 00000000.00000002.1752589497.0000000003710000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD0
Source: SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe, 00000000.00000003.1751240027.0000000000C85000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Cm

Source: C:\Users\user\Desktop\setup.exe

API call chain: ExitProcess graph end node

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Code function: 0_2_013D2EAC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_013D2EAC

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\setup.exe

Code function: 1_2_0040645D GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_0040645D

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Code function: 0_2_013D73A0 mov eax, dword ptr fs:[00000030h]

0_2_013D73A0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\setup.exe

1_2_6CEB188A

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Code function: 0_2_013D2EAC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_013D2EAC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe	Code function: 0_2_0137A955 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_0137A955

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\Setup.exe"

Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Code function: 0_2_0137B767 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0137B767

Source: C:\Users\user\Desktop\setup.exe

Code function: 1_2_00406966 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

1_2_00406966

ID:	1532473
Product:	CloudBasic
Start time:	10:26:11
Start date:	13.10.2024
Sample:	SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	8c18150421977fe4528204b8095469d1
SHA1:	f69137f7558d0953879378b91b58914507df75a8
SHA256:	c45f5f52bbcfbb3540aab96ecf76b14df72f3c82f917cb368c23cbf0a92eaaca
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\nsiB2D7.tmp	data	14AEBB95BCE1952D28BA8C3EBF04FC6E	B0EA2C60EB27F11EEB67BBC58ACE7913EBDFAFE9	6ADD93FC77E790D583378B34A0EDE261A4CAEA5D53BFEDBFB0310B62731DF086
C:\Users\user\AppData\Local\Temp\nsiB326.tmp\LangDLL.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	A1CD3F159EF78D9ACE162F067B544FD9	72671FDF4BFEEB99B392685BF01081B4A0B3AE66	47B9E251C9C90F43E3524965AECC07BD53C8E09C5B9F9862B44C306667E2B0B6
C:\Users\user\AppData\Local\Temp\nsiB326.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	BF712F32249029466FA86756F5546950	75AC4DC4808AC148DDD78F6B89A51AFBD4091C2E	7851CB12FA4131F1FEE5DE390D650EF65CAC561279F1CFE70AD16CC9780210AF
C:\Users\user\AppData\Local\Temp\nsiB326.tmp\modern-header.bmp	PC bitmap, Windows 3.x format, 150 x 57 x 24, image size 25766, resolution 2834 x 2834 px/m, cbSize 25820, bits offset 54	827358320DD8861C44EAC1E220047C29	F31677B280A72C6B2EB87FA206F0586194F2029B	88E8A05BE9CFB8DAEC31872C8322B7313B66CEAA45C361F8EFEDA53809F46910
C:\Users\user\AppData\Local\Temp\nsiB326.tmp\modern-wizard.bmp	PC bitmap, Windows 3.x format, 164 x 314 x 24, image size 154490, resolution 2834 x 2834 px/m, cbSize 154544, bits offset 54	2D63E33FA1CF672338A22C88FA45E6A0	86C510009D6C71D05EB2707FE6A10039DF525192	7AE875CFCB6E3B1F4A06460FBDA99D8014DC4674EE256B0B79EC656777C7E292
C:\Users\user\AppData\Local\Temp\nsiB326.tmp\nsDialogs.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4CCC4A742D4423F2F0ED744FD9C81F63	704F00A1ACC327FD879CF75FC90D0B8F927C36BC	416133DD86C0DFF6B0FCAF1F46DFE97FDC85B37F90EFFB2D369164A8F7E13AE6
C:\Users\user\Desktop\setup.exe	PE32 executable (GUI) Intel 80386, for MS Windows	76954D7DBF005D6DB5E38D64F25A8C20	054AD10803AA95F512A2C56293BE7D1A287696F7	E9E2EB114941F9F9157B4FB139E5588665FB89B709DF82D4A8346AE66CCF03E1

Windows Analysis Report SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Signatures

AV Detection

Cryptography

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.Adware.Downware.20566.20228.21311.exe