Windows Analysis Report
SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe
Analysis ID:	1433049
MD5:	034cb3e5f37e1ce4aa06fbf299f8aad2
SHA1:	1f37f230cfc5def3e322e7f45fea6c8c2c6332a6
SHA256:	705723eb97c62bb078d20146d9c62bf991ba285c420836d19e7fb186598bdf2e
Tags:	exe
Infos:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

Creates an undocumented autostart registry key

Drops executables to the windows directory (C:\Windows) and starts them

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Common Autorun Keys Modification

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_00478B6C FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,	1_2_00478B6C
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_0046F16C FindFirstFileA,FindNextFileA,FindClose,	1_2_0046F16C
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_004511DC FindFirstFileA,GetLastError,	1_2_004511DC
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_00490094 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_00490094
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_00476A70 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,	1_2_00476A70
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_0045F3A4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_0045F3A4
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_0045F820 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_0045F820
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_0045DE20 FindFirstFileA,FindNextFileA,FindClose,	1_2_0045DE20

Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp, 00000001.00000000.1616750104.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp.0.dr, is-TTH1H.tmp.1.dr	String found in binary or memory: http://www.innosetup.com/
Source: is-CJAM5.tmp.1.dr	String found in binary or memory: http://www.mathsavers.com
Source: MBSS Light.scr, MBSS Light.scr, 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, MBSS Light.scr, 00000009.00000000.2144670146.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-FPQL9.tmp.1.dr, is-8HO2N.tmp.1.dr, is-JG6KC.tmp.1.dr	String found in binary or memory: http://www.mathsavers.com/buy_fireworks.htm
Source: is-24KDP.tmp.1.dr	String found in binary or memory: http://www.mathsavers.com/buy_fireworks.htmThttp://www.mathsavers.com/buy_galaxies.htm
Source: MBSS Light.scr, MBSS Light.scr, 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, MBSS Light.scr, 00000009.00000000.2144670146.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-FPQL9.tmp.1.dr, is-JG6KC.tmp.1.dr, is-A1AL2.tmp.1.dr	String found in binary or memory: http://www.mathsavers.com/buy_galaxies.htm
Source: is-8HO2N.tmp.1.dr	String found in binary or memory: http://www.mathsavers.com/buy_galaxies.htmXhttp://www.mathsavers.com/buy_starfields.htm$MBSS
Source: MBSS Light.scr, is-24KDP.tmp.1.dr, is-8HO2N.tmp.1.dr, is-A1AL2.tmp.1.dr	String found in binary or memory: http://www.mathsavers.com/buy_gravwells.htm
Source: MBSS Light.scr, 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, MBSS Light.scr, 00000009.00000000.2144670146.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-JG6KC.tmp.1.dr	String found in binary or memory: http://www.mathsavers.com/buy_gravwells.htmDA
Source: MBSS Light.scr, MBSS Light.scr, 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, MBSS Light.scr, 00000009.00000000.2144670146.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-FPQL9.tmp.1.dr, is-24KDP.tmp.1.dr, is-8HO2N.tmp.1.dr, is-JG6KC.tmp.1.dr	String found in binary or memory: http://www.mathsavers.com/buy_light.htm
Source: is-A1AL2.tmp.1.dr	String found in binary or memory: http://www.mathsavers.com/buy_light.htmVhttp://www.mathsavers.com/buy_fireworks.htm
Source: MBSS Light.scr	String found in binary or memory: http://www.mathsavers.com/buy_starfields.htm
Source: MBSS Light.scr, 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, MBSS Light.scr, 00000009.00000000.2144670146.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-24KDP.tmp.1.dr, is-JG6KC.tmp.1.dr, is-A1AL2.tmp.1.dr	String found in binary or memory: http://www.mathsavers.com/buy_starfields.htm$MBSS
Source: is-FPQL9.tmp.1.dr	String found in binary or memory: http://www.mathsavers.com/buy_starfields.htmVhttp://www.mathsavers.com/buy_gravwells.htm
Source: is-CJAM5.tmp.1.dr	String found in binary or memory: http://www.mathsavers.com/faq.htm
Source: is-CJAM5.tmp.1.dr	String found in binary or memory: http://www.mathsavers.com/faq.htm7
Source: is-A071M.tmp.1.dr, is-M1MRN.tmp.1.dr, is-CJAM5.tmp.1.dr	String found in binary or memory: http://www.mathsavers.com/faq.htmCurrent
Source: is-0OC1R.tmp.1.dr	String found in binary or memory: http://www.mathsavers.com/fireworks.htm
Source: is-CJAM5.tmp.1.dr	String found in binary or memory: http://www.mathsavers.com/galaxy.htm
Source: is-JGPHN.tmp.1.dr	String found in binary or memory: http://www.mathsavers.com/gravwell.htm
Source: notepad.exe, 00000007.00000003.2140291731.0000000003355000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000007.00000002.2886013713.0000000003355000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000007.00000003.2140605292.0000000003355000.00000004.00000020.00020000.00000000.sdmp, is-F6CPB.tmp.1.dr	String found in binary or memory: http://www.mathsavers.com/light.htm
Source: MBSS Light.scr, MBSS Light.scr, 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, MBSS Light.scr, 00000009.00000000.2144670146.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-FPQL9.tmp.1.dr, is-24KDP.tmp.1.dr, is-8HO2N.tmp.1.dr, is-JG6KC.tmp.1.dr, is-A1AL2.tmp.1.dr	String found in binary or memory: http://www.mathsavers.com/paypaltip.htm
Source: notepad.exe, 00000007.00000003.2140291731.0000000003355000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000007.00000002.2886013713.0000000003355000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000007.00000003.2140605292.0000000003355000.00000004.00000020.00020000.00000000.sdmp, is-K99HS.tmp.1.dr, is-F6CPB.tmp.1.dr, is-0OC1R.tmp.1.dr, is-Q3TRV.tmp.1.dr, is-JGPHN.tmp.1.dr	String found in binary or memory: http://www.mathsavers.com/register.htm
Source: is-0QTJN.tmp.1.dr	String found in binary or memory: http://www.mathsavers.com/savers.htm
Source: is-Q3TRV.tmp.1.dr	String found in binary or memory: http://www.mathsavers.com/starflds.htm
Source: SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe, 00000000.00000003.1615640410.0000000002074000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe, 00000000.00000003.2231682934.0000000002080000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp, 00000001.00000003.2230227519.0000000002154000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp, 00000001.00000003.1617637618.0000000002148000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.mathsavers.com2
Source: SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe, 00000000.00000003.1615929584.0000000002390000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe, 00000000.00000003.1616072704.0000000002088000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp, 00000001.00000000.1616750104.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp.0.dr, is-TTH1H.tmp.1.dr	String found in binary or memory: http://www.remobjects.com/?ps
Source: SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe, 00000000.00000003.1615929584.0000000002390000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe, 00000000.00000003.1616072704.0000000002088000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp, 00000001.00000000.1616750104.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp.0.dr, is-TTH1H.tmp.1.dr	String found in binary or memory: http://www.remobjects.com/?psU
Source: MBSS Light.scr, MBSS Light.scr, 00000009.00000002.2230853726.0000000000401000.00000020.00000001.01000000.00000009.sdmp, MBSS Light.scr, 00000009.00000000.2144670146.0000000000401000.00000020.00000001.01000000.00000009.sdmp, is-FPQL9.tmp.1.dr, is-24KDP.tmp.1.dr, is-8HO2N.tmp.1.dr, is-JG6KC.tmp.1.dr, is-A1AL2.tmp.1.dr	String found in binary or memory: https://www.paypal.com/cgi-bin/webscr?cmd=_xclick

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_00423B2C NtdllDefWindowProc_A,	1_2_00423B2C
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_004722D4 NtdllDefWindowProc_A,	1_2_004722D4
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_00412580 NtdllDefWindowProc_A,	1_2_00412580
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_0042ED38 NtdllDefWindowProc_A,	1_2_0042ED38
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_004551F4 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,	1_2_004551F4

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp

Code function: 1_2_0042E6CC: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

1_2_0042E6CC

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe	Code function: 0_2_004092A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_004092A0
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_00453AF8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_00453AF8

Creates files inside the system directory

Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\MBSS All Products	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\MBSS All Products\unins000.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\MBSS All Products\is-TTH1H.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\is-JG6KC.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\is-24KDP.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\is-A1AL2.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\is-8HO2N.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\is-FPQL9.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\is-F6CPB.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\is-K99HS.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\is-0OC1R.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\is-Q3TRV.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\is-JGPHN.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\is-1BOUR.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\is-A071M.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\is-CJAM5.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\is-M1MRN.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\is-0QTJN.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\is-AJOP0.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\is-PB7LK.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\is-5ITG0.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\is-Q8BC7.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\is-JUSIF.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\is-99LG3.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\is-188RC.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\is-TC383.tmp	Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe	Code function: 0_2_004082E8	0_2_004082E8
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_00462994	1_2_00462994
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_0046AC90	1_2_0046AC90
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_004797C1	1_2_004797C1
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_004800E8	1_2_004800E8
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_0044416C	1_2_0044416C
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_004305D0	1_2_004305D0
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_00444864	1_2_00444864
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_004588EC	1_2_004588EC
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_0046498C	1_2_0046498C
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_00434A2C	1_2_00434A2C
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_00444C70	1_2_00444C70
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_0047F238	1_2_0047F238
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_0043D44C	1_2_0043D44C
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_0045B694	1_2_0045B694
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_0042FB74	1_2_0042FB74
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_00443BC4	1_2_00443BC4
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_00433D28	1_2_00433D28
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_00485FE0	1_2_00485FE0
Source: C:\Windows\SysWOW64\MBSS Light.scr	Code function: 9_2_00403044	9_2_00403044
Source: C:\Windows\SysWOW64\MBSS Light.scr	Code function: 9_2_00401985	9_2_00401985
Source: C:\Windows\SysWOW64\MBSS Light.scr	Code function: 9_2_004D4AB0	9_2_004D4AB0
Source: C:\Windows\SysWOW64\MBSS Light.scr	Code function: 9_2_00457B40	9_2_00457B40

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\MBSS Light.scr	Code function: String function: 004B4820 appears 52 times
Source: C:\Windows\SysWOW64\MBSS Light.scr	Code function: String function: 004B5DC0 appears 165 times
Source: C:\Windows\SysWOW64\MBSS Light.scr	Code function: String function: 004DE2E0 appears 95 times
Source: C:\Windows\SysWOW64\MBSS Light.scr	Code function: String function: 004DE3D0 appears 138 times
Source: C:\Windows\SysWOW64\MBSS Light.scr	Code function: String function: 004D7870 appears 97 times
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: String function: 00405964 appears 100 times
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: String function: 00406A2C appears 38 times
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: String function: 00403400 appears 59 times
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: String function: 004454D0 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: String function: 00407894 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: String function: 00433C40 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: String function: 00455970 appears 95 times
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: String function: 00451AC0 appears 72 times
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: String function: 00403494 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: String function: 00455B70 appears 65 times
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: String function: 004457A0 appears 59 times
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: String function: 00403684 appears 204 times
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: String function: 00408BAC appears 44 times

PE file contains executable resources (Code or Archives)

Source: SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp.0.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-TTH1H.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-TTH1H.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: is-TTH1H.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: is-TTH1H.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-TTH1H.tmp.1.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe, 00000000.00000003.1615929584.0000000002390000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe
Source: SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe, 00000000.00000003.1616072704.0000000002088000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: _RegDLL.tmp.1.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: sus24.evad.winEXE@9/73@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe	Code function: 0_2_004092A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_004092A0
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_00453AF8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_00453AF8

Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp

Code function: 1_2_00454320 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,

1_2_00454320

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe

Code function: 0_2_00409A04 FindResourceA,SizeofResource,LoadResource,LockResource,

0_2_00409A04

Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp

File created: C:\Users\user\Desktop\MBSS Light.lnk

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe	Process created: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp "C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp" /SL5="$1046E,1226042,57344,C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Process created: C:\Windows\SysWOW64\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\system32\MBSS Light Readme.txt
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Process created: C:\Windows\SysWOW64\rundll32.exe "rundll32.exe" desk.cpl,InstallScreenSaver C:\Windows\system32\MBSS Light.scr
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\MBSS Light.scr "C:\Windows\system32\MBSS Light.scr" /p 66834
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe	Process created: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp "C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp" /SL5="$1046E,1226042,57344,C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Process created: C:\Windows\SysWOW64\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\system32\MBSS Light Readme.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Process created: C:\Windows\SysWOW64\rundll32.exe "rundll32.exe" desk.cpl,InstallScreenSaver C:\Windows\system32\MBSS Light.scr	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\MBSS Light.scr "C:\Windows\system32\MBSS Light.scr" /p 66834	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: efswrt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scr	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scr	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scr	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scr	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scr	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scr	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scr	Section loaded: mbssm6.dll	Jump to behavior

Source: MBSS Starfields Readme.lnk.1.dr	LNK file: ..\..\..\..\..\..\Windows\System32\MBSS Starfields Readme.txt
Source: MBSS Gravity Wells Readme.lnk.1.dr	LNK file: ..\..\..\..\..\..\Windows\System32\MBSS Gravity Wells Readme.txt
Source: MBSS Website.lnk.1.dr	LNK file: ..\..\..\..\..\..\Windows\System32\MBSS_GoTo_MathSavers.url
Source: Uninstall MBSS All Products.lnk.1.dr	LNK file: ..\..\..\..\..\..\Windows\MBSS All Products\unins000.exe
Source: MBSS Light.lnk.1.dr	LNK file: ..\..\..\Windows\System32\MBSS Light.scr
Source: MBSS Galaxies.lnk.1.dr	LNK file: ..\..\..\Windows\System32\MBSS Galaxies.scr
Source: MBSS Fireworks.lnk.1.dr	LNK file: ..\..\..\Windows\System32\MBSS Fireworks.scr
Source: MBSS Starfields.lnk.1.dr	LNK file: ..\..\..\Windows\System32\MBSS Starfields.scr
Source: MBSS Gravity Wells.lnk.1.dr	LNK file: ..\..\..\Windows\System32\MBSS Gravity Wells.scr
Source: MBSS Light.lnk0.1.dr	LNK file: ..\..\..\..\..\..\Windows\System32\MBSS Light.scr
Source: MBSS Galaxies.lnk0.1.dr	LNK file: ..\..\..\..\..\..\Windows\System32\MBSS Galaxies.scr
Source: MBSS Fireworks.lnk0.1.dr	LNK file: ..\..\..\..\..\..\Windows\System32\MBSS Fireworks.scr
Source: MBSS Starfields.lnk0.1.dr	LNK file: ..\..\..\..\..\..\Windows\System32\MBSS Starfields.scr
Source: MBSS Gravity Wells.lnk0.1.dr	LNK file: ..\..\..\..\..\..\Windows\System32\MBSS Gravity Wells.scr
Source: MBSS Light Help.lnk.1.dr	LNK file: ..\..\..\..\..\..\Windows\System32\MBSS Light.hlp
Source: MBSS Galaxy Help.lnk.1.dr	LNK file: ..\..\..\..\..\..\Windows\System32\MBSS Galaxy.hlp
Source: Star Help.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\..\Windows\System32\MBSS_Gen.hlp
Source: MBSS Light Readme.lnk.1.dr	LNK file: ..\..\..\..\..\..\Windows\System32\MBSS Light Readme.txt
Source: MBSS Galaxies Readme.lnk.1.dr	LNK file: ..\..\..\..\..\..\Windows\System32\MBSS Galaxies Readme.txt
Source: MBSS Fireworks Readme.lnk.1.dr	LNK file: ..\..\..\..\..\..\Windows\System32\MBSS Fireworks Readme.txt

Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Automated click: I accept the agreement
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe	Code function: 0_2_00406518 push 00406555h; ret	0_2_0040654D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe	Code function: 0_2_004040B5 push eax; ret	0_2_004040F1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe	Code function: 0_2_00404185 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe	Code function: 0_2_00404206 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe	Code function: 0_2_0040C218 push eax; ret	0_2_0040C219
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe	Code function: 0_2_004042E8 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe	Code function: 0_2_00404283 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe	Code function: 0_2_00408D90 push 00408DC3h; ret	0_2_00408DBB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe	Code function: 0_2_00407FE0 push ecx; mov dword ptr [esp], eax	0_2_00407FE5
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_004098EC push 00409929h; ret	1_2_00409921
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_004062CC push ecx; mov dword ptr [esp], eax	1_2_004062CD
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_004305D0 push ecx; mov dword ptr [esp], eax	1_2_004305D5
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_00410678 push ecx; mov dword ptr [esp], edx	1_2_0041067D
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_004128D0 push 00412933h; ret	1_2_0041292B
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_0047C88C push 0047C96Ah; ret	1_2_0047C962
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_00450A78 push 00450AABh; ret	1_2_00450AA3
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_00442B3C push ecx; mov dword ptr [esp], ecx	1_2_00442B40
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_0040CFD0 push ecx; mov dword ptr [esp], edx	1_2_0040CFD2
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_004573DC push 00457420h; ret	1_2_00457418
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_0045B38C push ecx; mov dword ptr [esp], eax	1_2_0045B391
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_0040546D push eax; ret	1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_0040F530 push ecx; mov dword ptr [esp], edx	1_2_0040F532
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_0040553D push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_004715E8 push ecx; mov dword ptr [esp], edx	1_2_004715E9
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_004055BE push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_0040563B push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_004056A0 push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_00419BD0 push ecx; mov dword ptr [esp], ecx	1_2_00419BD5
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_00455C0C push 00455C44h; ret	1_2_00455C3C
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_0047DEE0 push ecx; mov dword ptr [esp], ecx	1_2_0047DEE5
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_00409FE7 push ds; ret	1_2_00409FE8

Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\MBSS Galaxies.scr (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\is-FPQL9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\MBSS Light.scr (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\MBSS Fireworks.scr (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\is-1BOUR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\MBSS Gravity Wells.scr (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Users\user\AppData\Local\Temp\is-2J8KK.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\MBSSM6.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\is-JG6KC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\MBSS Starfields.scr (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\is-A1AL2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\is-24KDP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Users\user\AppData\Local\Temp\is-2J8KK.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\SysWOW64\is-8HO2N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\MBSS All Products\is-TTH1H.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe	File created: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Users\user\AppData\Local\Temp\is-2J8KK.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\Windows\MBSS All Products\unins000.exe (copy)	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Light.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Galaxies.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Fireworks.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Starfields.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Gravity Wells.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Light Help.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Galaxy Help.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Fire	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Fire\Gravity	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Fire\Gravity\Star Help.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Light Readme.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Galaxies Readme.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Fireworks Readme.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Starfields Readme.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Gravity Wells Readme.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\MBSS Website.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MBSS All Products\Uninstall MBSS All Products.lnk	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_00422804 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	1_2_00422804
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_00423BB4 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423BB4
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_00423BB4 IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423BB4
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_0042413C IsIconic,SetActiveWindow,	1_2_0042413C
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_00424184 IsIconic,SetActiveWindow,SetFocus,	1_2_00424184
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_0047C25C IsIconic,GetWindowLongA,ShowWindow,ShowWindow,	1_2_0047C25C
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_0041832C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	1_2_0041832C
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_00417540 IsIconic,GetCapture,	1_2_00417540
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_00417C76 IsIconic,SetWindowPos,	1_2_00417C76
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: 1_2_00417C78 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	1_2_00417C78

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\MBSS Light.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\MBSS Galaxies.scr (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\is-FPQL9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\MBSS Fireworks.scr (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\is-1BOUR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\MBSS Gravity Wells.scr (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2J8KK.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\MBSS Starfields.scr (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\is-A1AL2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\is-24KDP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2J8KK.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\is-8HO2N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Dropped PE file which has not been started: C:\Windows\MBSS All Products\is-TTH1H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Dropped PE file which has not been started: C:\Windows\MBSS All Products\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2J8KK.tmp\_isetup\_shfoldr.dll	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe	Code function: GetLocaleInfoA,	0_2_0040515C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe	Code function: GetLocaleInfoA,	0_2_004051A8
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: GetLocaleInfoA,	1_2_00408508
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Code function: GetLocaleInfoA,	1_2_00408554

Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3U7SU.tmp\SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Queries volume information: C:\Windows\SysWOW64\MBSS Light Readme.txt VolumeInformation	Jump to behavior

ID:	1433049
Product:	CloudBasic
Start time:	02:23:09
Start date:	29.04.2024
Sample:	SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	034cb3e5f37e1ce4aa06fbf299f8aad2
SHA1:	1f37f230cfc5def3e322e7f45fea6c8c2c6332a6
SHA256:	705723eb97c62bb078d20146d9c62bf991ba285c420836d19e7fb186598bdf2e
Filetype:	Win32 Executable (generic) a (10002005/4) 98.86%

Windows Analysis Report SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.Win32.HLLW.Autoruner1.41577.13226.11498.exe