Windows Analysis Report
SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe
Analysis ID: 1417372
MD5: 3eaa0fb10cc609ba960bb9bc9f503b81
SHA1: 4b20bfb6751fc27c6fee082436cbd3964961569a
SHA256: 8ceb160dd7b7001c380cd0db545a20fd5db3095dba35547018209e00081f75b4
Tags: exe
Infos:

Detection

Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May check if the current machine is a sandbox (GetTickCount - Sleep)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Use NTFS Short Name in Command Line
Sigma detected: Use Short Name Path in Command Line
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Avira: detected
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\sfx.exe ReversingLabs: Detection: 15%
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\sfx.exe Virustotal: Detection: 20% Perma Link
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\sfx.exe ReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\sfx.exe Virustotal: Detection: 20% Perma Link
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe ReversingLabs: Detection: 60%
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Virustotal: Detection: 70% Perma Link
Machine Learning detection for sample
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10003710 lstrcmpiA,CreateFileA,GetLastError,GetLastError,ImageEnumerateCertificates,GetLastError,ImageGetCertificateHeader,GetLastError,ImageGetCertificateData,GetLastError,CryptVerifyMessageSignature,GetLastError,CertGetNameStringA,CertGetNameStringA,_memset,CertGetNameStringA,lstrcmpA,CertFreeCertificateContext,CloseHandle, 2_2_10003710
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: c:\eaccleandrv\objfre_wxp_x86\i386\ListOpenedFileDrv.pdbp source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.1634168219.000000000076F000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: c:\eaccleandrv\objfre_wlh_x86\i386\ListOpenedFileDrv.pdb source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.1634168219.000000000076F000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: g:\svn\vclnr_trunk\src\vclnr_dll\Release\vclnr.pdb, source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: c:\work\adsoft_setup\setup\Release\setup.pdb source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000000.1628661608.0000000000418000.00000002.00000001.01000000.00000004.sdmp, setup.exe, 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmp
Source: Binary string: c:\Documents and Settings\ThomasP\Desktop\CustomCleanerProject\CustomCleaner20100310\ManualCustomCleaner\Release\EacCleaner.pdb$pB source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000002.00000000.1630351044.000000000041E000.00000002.00000001.01000000.00000006.sdmp, EacCleaner.exe, 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmp, EacCleaner.exe, 00000003.00000000.1634531650.000000000041E000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: c:\eaccleandrv\objfre_wxp_x86\i386\ListOpenedFileDrv.pdb source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.1634168219.000000000076F000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: g:\svn\vclnr_trunk\src\vclnr_dll\Release\vclnr.pdb source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: c:\work\adsoft_setup\sfx\sfx_Release\sfx.pdb source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000000.1610035686.0000000000415000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.1634168219.000000000076F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Documents and Settings\ThomasP\Desktop\CustomCleanerProject\CustomCleaner20100310\ManualCustomCleaner\Release\EacCleaner.pdb source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000002.00000000.1630351044.000000000041E000.00000002.00000001.01000000.00000006.sdmp, EacCleaner.exe, 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmp, EacCleaner.exe, 00000003.00000000.1634531650.000000000041E000.00000002.00000001.01000000.00000008.sdmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Code function: 0_2_004027E8 _memset,_memset,_memset,lstrlenA,lstrcpyA,lstrcatA,FindFirstFileA,FindNextFileA,GetTickCount,GetFileAttributesA,lstrcmpA,lstrcmpA,wsprintfA,DeleteFileA,GetTickCount,GetFileAttributesA,GetTickCount,Sleep,GetFileAttributesA,FindNextFileA,FindClose,RemoveDirectoryA,GetTickCount,GetFileAttributesA,GetTickCount,Sleep,GetFileAttributesA, 0_2_004027E8
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_0040355D _memset,FindFirstFileA,FindClose,FileTimeToSystemTime, 1_2_0040355D
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_004033CA _memset,_memset,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA,FindFirstFileA,FindFirstFileA,FindClose,FindClose,FindFirstFileA,FindClose,CompareFileTime, 1_2_004033CA
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_00407831 _memset,_memset,_memset,lstrlenA,GetFileAttributesA,lstrcpyA,PathAddBackslashA,lstrcatA,FindFirstFileA,FindNextFileA,Sleep,lstrcmpA,lstrcmpA,wsprintfA,DeleteFileA,GetTickCount,GetFileAttributesA,GetTickCount,Sleep,GetFileAttributesA,FindNextFileA,FindClose,Sleep,RemoveDirectoryA,RemoveDirectoryA,Sleep,RemoveDirectoryA,GetTickCount,GetTickCount,Sleep,GetFileAttributesA,GetTickCount,Sleep, 1_2_00407831
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_0040EBA0 PathFileExistsA,FindFirstFileA,FindNextFileA,DeleteFileA,GetFileAttributesA,DeleteFileA,FindNextFileA, 2_2_0040EBA0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100452C0 _memset,FindFirstFileA,FindClose,PathRemoveFileSpecA,CopyFileA, 2_2_100452C0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100432E0 _memset,lstrcpynA,lstrcpynA,PathFindFileNameA,_memset,lstrcpynA,PathRemoveFileSpecA,_memset,lstrcpynA,PathAddBackslashA,PathAddBackslashA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,_memset,lstrcpynA,PathAddBackslashA,GetFileAttributesA,PathAddBackslashA,FindNextFileA,FindClose, 2_2_100432E0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1008F310 FindFirstFileA,lstrcpynA,PathFileExistsA,PathFindExtensionA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,_memset,GetShortPathNameA, 2_2_1008F310
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100453F0 _memset,_memset,lstrcpynA,lstrcpynA,StrRChrIA,FindFirstFileA,FindFirstFileA,FindFirstFileA,lstrcpynA,PathAddBackslashA,StrChrA,GetFileAttributesA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrlenA,lstrlenA,lstrlenA,SetFileAttributesA,_memset,lstrcpynA,PathRemoveFileSpecA,FindNextFileA,FindClose, 2_2_100453F0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100458D0 _memset,lstrcpynA,lstrcpynA,PathFindFileNameA,_memset,lstrcpynA,PathRemoveFileSpecA,_memset,lstrcpynA,PathAddBackslashA,PathAddBackslashA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,_memset,lstrcpynA,PathAddBackslashA,StrChrA,GetFileAttributesA,PathAddBackslashA,FindNextFileA,FindClose, 2_2_100458D0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10041930 FindFirstFileA,lstrcpynA,lstrlenA,_memset,lstrcmpiA, 2_2_10041930
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10043A30 _memset,lstrcpynA,PathAddBackslashA,_memset,FindFirstFileA,FindFirstFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,_memset,lstrcpynA,PathAddBackslashA,GetFileAttributesA,_memset,lstrcpynA,PathAddBackslashA,_memset,lstrcpynA,FindNextFileA,FindClose, 2_2_10043A30
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10041B00 GetFileAttributesA,CreateFileA,GetFileSize,CloseHandle,_memset,FindFirstFileA,FindFirstFileA,FindFirstFileA,FindClose, 2_2_10041B00
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10041C80 _memset,PathRemoveFileSpecA,FindFirstFileA,FindFirstFileA,FindFirstFileA,lstrcmpiA,PathAddBackslashA,PathAddBackslashA,FindNextFileA,FindNextFileA,lstrcmpiA,PathAddBackslashA,FindNextFileA,FindClose, 2_2_10041C80
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1008FF00 _memset,FindFirstFileA, 2_2_1008FF00
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100460A0 SetErrorMode,FindFirstFileA,lstrcmpiA,lstrcmpiA,StrChrIA,FindNextFileA,SetErrorMode,FindClose, 2_2_100460A0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10042260 FindFirstFileA,lstrcpynA,CreateFileA,GetFileSize,CloseHandle,_memset,FindFirstFileA,FindFirstFileA,FindFirstFileA,FindClose, 2_2_10042260
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100423F0 FindFirstFileA,lstrcpynA,lstrlenA,CreateFileA,CreateFileA,CreateFileA,CreateFileMappingA,MapViewOfFile,GetFileSize,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle, 2_2_100423F0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1008E470 _memset,FindFirstFileA, 2_2_1008E470
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1008E6C0 _memset,FindFirstFileA, 2_2_1008E6C0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10042700 _memset,_memset,_memset,_memset,PathRemoveFileSpecA,PathRemoveFileSpecA,PathFindFileNameA,PathRemoveFileSpecA,PathFileExistsA,PathAppendA,FindFirstFileA,FindFirstFileA,FindFirstFileA,_memset,_memset,PathAddBackslashA,PathAddBackslashA,StrChrIA,_memset,PathAddBackslashA,_memset,PathAddBackslashA,PathAppendA,GetFileAttributesA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrlenA,lstrlenA,lstrlenA,_memset,PathAppendA,PathMatchSpecA,FindNextFileA,FindClose, 2_2_10042700
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10044970 GetFileAttributesA,_memset,_memset,FindFirstFileA,FindFirstFileA,FindFirstFileA,FindNextFileA,FindNextFileA,GetFileAttributesA,PathAddBackslashA,FindNextFileA,FindClose, 2_2_10044970
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10042EF0 _memset,_memset,lstrcpynA,StrRChrIA,FindFirstFileA,FindFirstFileA,FindFirstFileA,lstrcpynA,PathAddBackslashA,GetFileAttributesA,FindNextFileA,lstrcpynA,PathAddBackslashA,GetFileAttributesA,FindNextFileA,FindClose, 2_2_10042EF0
Source: EacCleaner.exe, 00000002.00000002.1631577343.00000000006FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.eacceleration.com
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.1633209038.000000000076E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.1634168219.000000000076F000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmp, EacCleaner.exe, 00000002.00000002.1631577343.00000000006FE000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000003.00000003.1637918782.000000000059C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.eacceleration.com0
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10047760: _memset,_memset,DeviceIoControl,_memset,_memset, 2_2_10047760
Contains functionality to delete services
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100475D0 CloseHandle,OpenSCManagerA,OpenServiceA,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 2_2_100475D0
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_0040305A GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 1_2_0040305A
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_0040EA50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 2_2_0040EA50
Deletes files inside the Windows folder
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe File deleted: C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Code function: 0_2_0040E0D0 0_2_0040E0D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Code function: 0_2_0040D532 0_2_0040D532
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Code function: 0_2_004121BA 0_2_004121BA
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_004160ED 1_2_004160ED
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_004174A4 1_2_004174A4
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_00415669 1_2_00415669
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_0040B330 1_2_0040B330
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_0040FB32 1_2_0040FB32
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_00415BAB 1_2_00415BAB
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_004167AD 1_2_004167AD
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_00413065 2_2_00413065
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_0041AA8B 2_2_0041AA8B
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_0041BBCF 2_2_0041BBCF
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_0041CCDA 2_2_0041CCDA
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_0041B50F 2_2_0041B50F
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_00410740 2_2_00410740
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_0041AFCD 2_2_0041AFCD
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1001B030 2_2_1001B030
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10021110 2_2_10021110
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10075150 2_2_10075150
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1003D340 2_2_1003D340
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100353B0 2_2_100353B0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100C5438 2_2_100C5438
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1005F4C0 2_2_1005F4C0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100BD503 2_2_100BD503
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100C56AC 2_2_100C56AC
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1008F6B0 2_2_1008F6B0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1002D6F0 2_2_1002D6F0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1002D756 2_2_1002D756
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1002D758 2_2_1002D758
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10031760 2_2_10031760
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10061770 2_2_10061770
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1003D7B0 2_2_1003D7B0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1005F7F0 2_2_1005F7F0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10037886 2_2_10037886
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100B5936 2_2_100B5936
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100C59B5 2_2_100C59B5
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100819D0 2_2_100819D0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10023B20 2_2_10023B20
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1003DC00 2_2_1003DC00
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1002FC10 2_2_1002FC10
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10035C50 2_2_10035C50
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10077C50 2_2_10077C50
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1003BC60 2_2_1003BC60
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1002DD40 2_2_1002DD40
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1002DDA6 2_2_1002DDA6
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1002DDA8 2_2_1002DDA8
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1005FE20 2_2_1005FE20
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1008BE40 2_2_1008BE40
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10033F10 2_2_10033F10
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10069F70 2_2_10069F70
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10023FC0 2_2_10023FC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1003E050 2_2_1003E050
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100320A0 2_2_100320A0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10028100 2_2_10028100
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1008C110 2_2_1008C110
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100C613B 2_2_100C613B
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10038179 2_2_10038179
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100901B0 2_2_100901B0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100A41C0 2_2_100A41C0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10070210 2_2_10070210
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100B8228 2_2_100B8228
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10018270 2_2_10018270
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1002C330 2_2_1002C330
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1001C350 2_2_1001C350
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10024350 2_2_10024350
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1001E360 2_2_1001E360
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100C436E 2_2_100C436E
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1002E390 2_2_1002E390
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1003C3D0 2_2_1003C3D0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1003E3D0 2_2_1003E3D0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1008C3F0 2_2_1008C3F0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100224B0 2_2_100224B0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100464C0 2_2_100464C0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10076520 2_2_10076520
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10018580 2_2_10018580
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100AC5DA 2_2_100AC5DA
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100305D0 2_2_100305D0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10034630 2_2_10034630
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100AE654 2_2_100AE654
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1008E6C0 2_2_1008E6C0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100286F0 2_2_100286F0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10090750 2_2_10090750
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1009C790 2_2_1009C790
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1002E810 2_2_1002E810
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100C4897 2_2_100C4897
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100188A0 2_2_100188A0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10032990 2_2_10032990
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100BA9E1 2_2_100BA9E1
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10036A0A 2_2_10036A0A
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10070A10 2_2_10070A10
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10030AC0 2_2_10030AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10060AC0 2_2_10060AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10002AF0 2_2_10002AF0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100BAAF7 2_2_100BAAF7
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1008EB60 2_2_1008EB60
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10058C30 2_2_10058C30
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10034C70 2_2_10034C70
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1001ACB0 2_2_1001ACB0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100C8CDC 2_2_100C8CDC
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10034CD8 2_2_10034CD8
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1001ED30 2_2_1001ED30
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1002ED70 2_2_1002ED70
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100C4DD9 2_2_100C4DD9
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1003CE30 2_2_1003CE30
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10074E70 2_2_10074E70
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100A2FB0 2_2_100A2FB0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: String function: 100A6B44 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: String function: 10083CD0 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: String function: 004106DC appears 39 times
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: String function: 100722A0 appears 123 times
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: String function: 0040B2D0 appears 45 times
PE file contains executable resources (Code or Archives)
Source: vclnr.dll.0.dr Static PE information: Resource name: BINARY type: PE32 executable (native) Intel 80386, for MS Windows
Source: vclnr.dll.0.dr Static PE information: Resource name: BINARY type: PE32 executable (native) Intel 80386, for MS Windows
Source: vclnr.dll.1.dr Static PE information: Resource name: BINARY type: PE32 executable (native) Intel 80386, for MS Windows
Source: vclnr.dll.1.dr Static PE information: Resource name: BINARY type: PE32 executable (native) Intel 80386, for MS Windows
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesetup.exe-uninst_<>.exe` vs SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesfx.exe* vs SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevCleaner.dll2 vs SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000002.1636489163.000000000041D000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamesfx.exe* vs SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Section loaded: vclnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe Section loaded: vclnr.dll Jump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: logoncontroller.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.ui.logon.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: wincorlib.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.ui.xamlhost.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: mrmcorer.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: languageoverlayutil.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.ui.xaml.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.ui.blockedshutdown.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: directmanipulation.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.ui.xaml.controls.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: threadpoolwinrt.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.applicationmodel.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.graphics.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: wuceffects.dll Jump to behavior
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal76.evad.winEXE@8/18@0/0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_0040305A GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 1_2_0040305A
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_0040EA50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 2_2_0040EA50
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_0040D050 CoCreateInstance, 2_2_0040D050
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_0040D0D0 FindResourceA,FindResourceA,FindResourceA,LoadResource,LockResource,LoadResource,LockResource,LoadResource,LockResource,DialogBoxIndirectParamA,GetLastError,GlobalHandle,GlobalFree,GetLastError,SetLastError, 2_2_0040D0D0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe File created: C:\Program Files (x86)\Acceleration Software Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe File created: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Command line argument: /InstallerId 0_2_00402129
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Command line argument: /Cmd_Extract 0_2_00402129
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Command line argument: -we 0_2_00402129
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Command line argument: ExecSetup 0_2_00402129
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Command line argument: eAcceleration 0_2_00402129
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Command line argument: DelFolder 0_2_00402129
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Command line argument: ENU 2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Command line argument: Msg 2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Command line argument: Text 2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Command line argument: ENU 2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Command line argument: Title 2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Command line argument: Text 2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Command line argument: Uninstall 2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Command line argument: ENU 2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Command line argument: EndMsg 2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Command line argument: Text 2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Command line argument: ENU 2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Command line argument: EndTitle 2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Command line argument: Text 2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Command line argument: ENU 2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Command line argument: EndMsgReboot 2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Command line argument: Text 2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Command line argument: ENU 2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Command line argument: EndTitleReboot 2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Command line argument: Text 2_2_00409AC0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Command line argument: done. 2_2_00409AC0
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe File read: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe ReversingLabs: Detection: 60%
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Virustotal: Detection: 70%
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe String found in binary or memory: /InstallerId
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Process created: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe /Cmd C:\Users\user\Desktop\SECURI~1.EXE "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe"
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Process created: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe C:\Users\user\AppData\Local\Temp\EAC309~1\Eaccleaner.exe -d
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Process created: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe C:\PROGRA~2\ACCELE~1\ANTI-V~1\CUSTOM~1\Eaccleaner.exe
Source: unknown Process created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x4 /state0:0xa3f4f855 /state1:0x41c64e6d
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Process created: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe /Cmd C:\Users\user\Desktop\SECURI~1.EXE "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Process created: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe C:\Users\user\AppData\Local\Temp\EAC309~1\Eaccleaner.exe -d Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Process created: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe C:\PROGRA~2\ACCELE~1\ANTI-V~1\CUSTOM~1\Eaccleaner.exe Jump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000507-0000-0010-8000-00AA006D2EA4}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe File written: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.ini Jump to behavior
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\eaccleandrv\objfre_wxp_x86\i386\ListOpenedFileDrv.pdbp source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.1634168219.000000000076F000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: c:\eaccleandrv\objfre_wlh_x86\i386\ListOpenedFileDrv.pdb source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.1634168219.000000000076F000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: g:\svn\vclnr_trunk\src\vclnr_dll\Release\vclnr.pdb, source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: c:\work\adsoft_setup\setup\Release\setup.pdb source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000000.1628661608.0000000000418000.00000002.00000001.01000000.00000004.sdmp, setup.exe, 00000001.00000002.1635942079.0000000000418000.00000002.00000001.01000000.00000004.sdmp
Source: Binary string: c:\Documents and Settings\ThomasP\Desktop\CustomCleanerProject\CustomCleaner20100310\ManualCustomCleaner\Release\EacCleaner.pdb$pB source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000002.00000000.1630351044.000000000041E000.00000002.00000001.01000000.00000006.sdmp, EacCleaner.exe, 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmp, EacCleaner.exe, 00000003.00000000.1634531650.000000000041E000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: c:\eaccleandrv\objfre_wxp_x86\i386\ListOpenedFileDrv.pdb source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.1634168219.000000000076F000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000002.00000002.1632947754.00000000100F5000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: g:\svn\vclnr_trunk\src\vclnr_dll\Release\vclnr.pdb source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000002.00000002.1632903257.00000000100D4000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: c:\work\adsoft_setup\sfx\sfx_Release\sfx.pdb source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000000.1610035686.0000000000415000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000002.1636453116.0000000000415000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.1634168219.000000000076F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\Documents and Settings\ThomasP\Desktop\CustomCleanerProject\CustomCleaner20100310\ManualCustomCleaner\Release\EacCleaner.pdb source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe, 00000000.00000003.1611850417.00000000025C3000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000002.00000000.1630351044.000000000041E000.00000002.00000001.01000000.00000006.sdmp, EacCleaner.exe, 00000002.00000002.1631069678.000000000041E000.00000002.00000001.01000000.00000006.sdmp, EacCleaner.exe, 00000003.00000000.1634531650.000000000041E000.00000002.00000001.01000000.00000008.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Code function: 0_2_00401317 _memset,lstrcpyA,lstrcpyA,GetFileAttributesA,GetFileAttributesA,lstrcpyA,GetFileAttributesA,LoadLibraryA,GetProcAddress,FreeLibrary, 0_2_00401317
PE file contains an invalid checksum
Source: SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Static PE information: real checksum: 0x257d3 should be: 0xf25f6
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Code function: 0_2_0040E0B5 push ecx; ret 0_2_0040E0C8
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_00409029 push ecx; ret 1_2_0040903C
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_0040B315 push ecx; ret 1_2_0040B328
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_00410E8B push ecx; ret 2_2_00410E9E
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_00410721 push ecx; ret 2_2_00410734
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100A6B89 push ecx; ret 2_2_100A6B9C
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100A6FA3 push ecx; ret 2_2_100A6FB6
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe File created: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe File created: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe File created: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe File created: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\vclnr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe File created: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\vclnr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe File created: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe File created: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\sfx.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe File created: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\sfx.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_004030E2 _memset,_memset,GetPrivateProfileStringA,GetPrivateProfileStringA,lstrcmpiA,lstrcmpiA,GetCommandLineA,GetPrivateProfileStringA,lstrcmpiA, 1_2_004030E2
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_00402131 StrStrIA,_memset,_memset,_memset,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,lstrlenA,lstrlenA,lstrcmpiA,GetTempPathA,lstrlenA,PathAddBackslashA,PathAddBackslashA,PathAddBackslashA,GetShortPathNameA, 1_2_00402131
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_004065FA _memset,_memset,_memset,_memset,_memset,GetPrivateProfileIntA,GetPrivateProfileStringA,lstrcmpA, 1_2_004065FA
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_00403256 _memset,_memset,GetPrivateProfileStringA,GetPrivateProfileStringA,lstrcmpiA,lstrcmpiA,GetCommandLineA,GetPrivateProfileStringA,lstrcmpiA, 1_2_00403256
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_00406F3D __EH_prolog3,_memset,_memset,_memset,_memset,CreateMutexA,WaitForSingleObject,_memset,GetPrivateProfileStringA,_memset,MessageBoxA,ReleaseMutex,CloseHandle,_memset,PathAppendA,DeleteFileA, 1_2_00406F3D
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_004067B1 _memset,_memset,_memset,_memset,_memset,_memset,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,lstrcmpA,lstrcmpA,lstrcmpiA, 1_2_004067B1
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_0040185D GetPrivateProfileStringA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,_memset,StrStrIA,lstrlenA,_memset,StrStrIA,_memset,_memset,lstrlenA,lstrlenA,StrStrIA,StrStrIA,lstrlenA,StrToIntA,lstrlenA,SHSetValueA,SHDeleteValueA,SHDeleteKeyA, 1_2_0040185D
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_004048AA LoadStringA,_memset,_memset,_memset,_memset,_memset,_memset,GetModuleHandleA,GetModuleFileNameA,PathRemoveFileSpecA,SetCurrentDirectoryA,PathAddBackslashA,GetPrivateProfileStringA,lstrcmpA,lstrlenA,PathQuoteSpacesA,PathAddBackslashA,GetTempPathA,PathFindFileNameA,CopyFileA,CopyFileA,PathRemoveExtensionA,CopyFileA,GetFileAttributesA,PathQuoteSpacesA, 1_2_004048AA
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_00403982 lstrcmpiA,_memset,_memset,_memset,_memset,_memset,GetModuleHandleA,GetModuleFileNameA,PathRemoveFileSpecA,PathAddBackslashA,GetPrivateProfileStringA,lstrcmpA,lstrlenA,PathQuoteSpacesA,SHDeleteKeyA, 1_2_00403982
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_004016E1 lstrlenA,StrStrIA,_memset,_memset,_memset,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,SHGetValueA,lstrlenA,PathAddBackslashA,PathAddBackslashA,PathAddBackslashA,PathRemoveBackslashA, 1_2_004016E1
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_00403B54 _memset,_memset,_memset,_memset,_memset,_memset,_memset,_memset,GetPrivateProfileIntA,GetPrivateProfileStringA,lstrcmpA,StrStrIA,StrStrIA,GetPrivateProfileStringA,lstrcmpA,PathFindFileNameA,GetPrivateProfileStringA,lstrcmpA,lstrlenA,GetPrivateProfileStringA,GetPrivateProfileStringA,StrStrIA,GetPrivateProfileIntA,DeleteFileA,StrStrIA,PathRemoveArgsA,GetFileAttributesA, 1_2_00403B54
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_00403FE1 _memset,_memset,_memset,_memset,_memset,_memset,_memset,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileIntA,GetPrivateProfileStringA,lstrcmpA,PathUnquoteSpacesA,PathAddBackslashA,PathRemoveBackslashA,GetFileAttributesA,lstrlenA,StrStrIA,RemoveDirectoryA,GetFileAttributesA,DeleteFileA, 1_2_00403FE1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to compare user and computer (likely to detect sandboxes)
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: _memset,GetModuleHandleA,GetModuleFileNameA,PathFindFileNameA,StrStrIA,_memset,_memset,LoadStringA,LoadStringA,LoadStringA,MessageBoxA, 1_2_00404DD8
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: #17,StrStrIA,StrStrIA,_memset,_memset,_memset,_memset,vClnr_initData,EndDialog,IsWindow,Sleep,CloseHandle,vClnr_getText,vClnr_getText,GetActiveWindow,vClnr_cleanType,vClnr_getText,vClnr_getText,vClnr_getText,vClnr_getText,vClnr_unitData,GetModuleFileNameA,PathRemoveFileSpecA,PathAddBackslashA,lstrcatA,PathFileExistsA,lstrlenA,LoadStringA,LoadStringA,lstrlenA,LoadStringA,GetActiveWindow,GetActiveWindow,PathFileExistsA,lstrlenA,lstrlenA,LoadStringA,LoadStringA,lstrlenA,LoadStringA,GetActiveWindow,GetActiveWindow, 2_2_00409AC0
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10080440 2_2_10080440
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10080660 2_2_10080660
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\sfx.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Dropped PE file which has not been started: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\sfx.exe Jump to dropped file
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe API coverage: 2.1 %
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10080660 2_2_10080660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Code function: 0_2_004027E8 _memset,_memset,_memset,lstrlenA,lstrcpyA,lstrcatA,FindFirstFileA,FindNextFileA,GetTickCount,GetFileAttributesA,lstrcmpA,lstrcmpA,wsprintfA,DeleteFileA,GetTickCount,GetFileAttributesA,GetTickCount,Sleep,GetFileAttributesA,FindNextFileA,FindClose,RemoveDirectoryA,GetTickCount,GetFileAttributesA,GetTickCount,Sleep,GetFileAttributesA, 0_2_004027E8
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_0040355D _memset,FindFirstFileA,FindClose,FileTimeToSystemTime, 1_2_0040355D
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_004033CA _memset,_memset,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA,FindFirstFileA,FindFirstFileA,FindClose,FindClose,FindFirstFileA,FindClose,CompareFileTime, 1_2_004033CA
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_00407831 _memset,_memset,_memset,lstrlenA,GetFileAttributesA,lstrcpyA,PathAddBackslashA,lstrcatA,FindFirstFileA,FindNextFileA,Sleep,lstrcmpA,lstrcmpA,wsprintfA,DeleteFileA,GetTickCount,GetFileAttributesA,GetTickCount,Sleep,GetFileAttributesA,FindNextFileA,FindClose,Sleep,RemoveDirectoryA,RemoveDirectoryA,Sleep,RemoveDirectoryA,GetTickCount,GetTickCount,Sleep,GetFileAttributesA,GetTickCount,Sleep, 1_2_00407831
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_0040EBA0 PathFileExistsA,FindFirstFileA,FindNextFileA,DeleteFileA,GetFileAttributesA,DeleteFileA,FindNextFileA, 2_2_0040EBA0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100452C0 _memset,FindFirstFileA,FindClose,PathRemoveFileSpecA,CopyFileA, 2_2_100452C0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100432E0 _memset,lstrcpynA,lstrcpynA,PathFindFileNameA,_memset,lstrcpynA,PathRemoveFileSpecA,_memset,lstrcpynA,PathAddBackslashA,PathAddBackslashA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,_memset,lstrcpynA,PathAddBackslashA,GetFileAttributesA,PathAddBackslashA,FindNextFileA,FindClose, 2_2_100432E0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1008F310 FindFirstFileA,lstrcpynA,PathFileExistsA,PathFindExtensionA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,_memset,GetShortPathNameA, 2_2_1008F310
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100453F0 _memset,_memset,lstrcpynA,lstrcpynA,StrRChrIA,FindFirstFileA,FindFirstFileA,FindFirstFileA,lstrcpynA,PathAddBackslashA,StrChrA,GetFileAttributesA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrlenA,lstrlenA,lstrlenA,SetFileAttributesA,_memset,lstrcpynA,PathRemoveFileSpecA,FindNextFileA,FindClose, 2_2_100453F0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100458D0 _memset,lstrcpynA,lstrcpynA,PathFindFileNameA,_memset,lstrcpynA,PathRemoveFileSpecA,_memset,lstrcpynA,PathAddBackslashA,PathAddBackslashA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,_memset,lstrcpynA,PathAddBackslashA,StrChrA,GetFileAttributesA,PathAddBackslashA,FindNextFileA,FindClose, 2_2_100458D0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10041930 FindFirstFileA,lstrcpynA,lstrlenA,_memset,lstrcmpiA, 2_2_10041930
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10043A30 _memset,lstrcpynA,PathAddBackslashA,_memset,FindFirstFileA,FindFirstFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,_memset,lstrcpynA,PathAddBackslashA,GetFileAttributesA,_memset,lstrcpynA,PathAddBackslashA,_memset,lstrcpynA,FindNextFileA,FindClose, 2_2_10043A30
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10041B00 GetFileAttributesA,CreateFileA,GetFileSize,CloseHandle,_memset,FindFirstFileA,FindFirstFileA,FindFirstFileA,FindClose, 2_2_10041B00
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10041C80 _memset,PathRemoveFileSpecA,FindFirstFileA,FindFirstFileA,FindFirstFileA,lstrcmpiA,PathAddBackslashA,PathAddBackslashA,FindNextFileA,FindNextFileA,lstrcmpiA,PathAddBackslashA,FindNextFileA,FindClose, 2_2_10041C80
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1008FF00 _memset,FindFirstFileA, 2_2_1008FF00
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100460A0 SetErrorMode,FindFirstFileA,lstrcmpiA,lstrcmpiA,StrChrIA,FindNextFileA,SetErrorMode,FindClose, 2_2_100460A0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10042260 FindFirstFileA,lstrcpynA,CreateFileA,GetFileSize,CloseHandle,_memset,FindFirstFileA,FindFirstFileA,FindFirstFileA,FindClose, 2_2_10042260
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100423F0 FindFirstFileA,lstrcpynA,lstrlenA,CreateFileA,CreateFileA,CreateFileA,CreateFileMappingA,MapViewOfFile,GetFileSize,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle, 2_2_100423F0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1008E470 _memset,FindFirstFileA, 2_2_1008E470
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_1008E6C0 _memset,FindFirstFileA, 2_2_1008E6C0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10042700 _memset,_memset,_memset,_memset,PathRemoveFileSpecA,PathRemoveFileSpecA,PathFindFileNameA,PathRemoveFileSpecA,PathFileExistsA,PathAppendA,FindFirstFileA,FindFirstFileA,FindFirstFileA,_memset,_memset,PathAddBackslashA,PathAddBackslashA,StrChrIA,_memset,PathAddBackslashA,_memset,PathAddBackslashA,PathAppendA,GetFileAttributesA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrlenA,lstrlenA,lstrlenA,_memset,PathAppendA,PathMatchSpecA,FindNextFileA,FindClose, 2_2_10042700
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10044970 GetFileAttributesA,_memset,_memset,FindFirstFileA,FindFirstFileA,FindFirstFileA,FindNextFileA,FindNextFileA,GetFileAttributesA,PathAddBackslashA,FindNextFileA,FindClose, 2_2_10044970
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_10042EF0 _memset,_memset,lstrcpynA,StrRChrIA,FindFirstFileA,FindFirstFileA,FindFirstFileA,lstrcpynA,PathAddBackslashA,GetFileAttributesA,FindNextFileA,lstrcpynA,PathAddBackslashA,GetFileAttributesA,FindNextFileA,FindClose, 2_2_10042EF0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_0040F6A2 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect, 2_2_0040F6A2
Source: EacCleaner.exe, 00000003.00000003.1720616679.0000000004DAA000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: EacCleaner.exe, 00000003.00000003.1720616679.0000000004DAA000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Microsoft Hyper-V VHDPMEM BTT Filter
Source: EacCleaner.exe, 00000003.00000003.1720616679.0000000004DAA000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: EacCleaner.exe, 00000003.00000003.1720616679.0000000004DAA000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Microsoft Hyper-V Storage Accelerator
Source: EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: EacCleaner.exe, 00000003.00000003.1720616679.0000000004DAA000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: EacCleaner.exe, 00000003.00000003.1720616679.0000000004DAA000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: EacCleaner.exe, 00000003.00000003.1720616679.0000000004DAA000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: EacCleaner.exe, 00000003.00000003.1720616679.0000000004DAA000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Microsoft Hyper-V Generation Counter
Source: EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: EacCleaner.exe, 00000003.00000003.1720616679.0000000004DAA000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Microsoft Hyper-V Virtual PCI Bus
Source: EacCleaner.exe, 00000003.00000003.1720616679.0000000004DAA000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Microsoft Hyper-V Guest Infrastructure Driver
Source: EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware VMCI Bus Driver
Source: EacCleaner.exe, 00000003.00000003.1720616679.0000000004DAA000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: EacCleaner.exe, 00000003.00000003.1720616679.0000000004DAA000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: EacCleaner.exe, 00000003.00000003.1720616679.0000000004DAA000.00000004.00000020.00020000.00000000.sdmp, EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: EacCleaner.exe, 00000003.00000003.1720974331.0000000004EAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Code function: 0_2_0040DED0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040DED0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Code function: 0_2_00401317 _memset,lstrcpyA,lstrcpyA,GetFileAttributesA,GetFileAttributesA,lstrcpyA,GetFileAttributesA,LoadLibraryA,GetProcAddress,FreeLibrary, 0_2_00401317
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Code function: 0_2_0040CBB5 GetStartupInfoA,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__amsg_exit,__setenvp,__amsg_exit,__cinit,__amsg_exit,__wincmdln, 0_2_0040CBB5
Enables debug privileges
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Code function: 0_2_00414027 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00414027
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Code function: 0_2_004114FE SetUnhandledExceptionFilter, 0_2_004114FE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Code function: 0_2_0040DED0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040DED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Code function: 0_2_0040C69A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0040C69A
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_0040803D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0040803D
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_004115E0 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_004115E0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_004083DE _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_004083DE
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: 1_2_0040E79D SetUnhandledExceptionFilter, 1_2_0040E79D
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_00414104 SetUnhandledExceptionFilter, 2_2_00414104
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_00418E8A _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00418E8A
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_0040F693 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0040F693
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_00410FAD _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00410FAD
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100A96A6 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_100A96A6
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100A2DE2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_100A2DE2
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Process created: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe /Cmd C:\Users\user\Desktop\SECURI~1.EXE "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Process created: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe C:\Users\user\AppData\Local\Temp\EAC309~1\Eaccleaner.exe -d Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Process created: C:\Program Files (x86)\Acceleration Software\Anti-Virus\customcleaner\EacCleaner.exe C:\PROGRA~2\ACCELE~1\ANTI-V~1\CUSTOM~1\Eaccleaner.exe Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Code function: 0_2_00412C4D cpuid 0_2_00412C4D
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Code function: GetLocaleInfoA, 0_2_004133B0
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 1_2_00413634
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\setup.exe Code function: GetLocaleInfoA, 1_2_00411FD4
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: GetLocaleInfoA, 2_2_0041CAE1
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 2_2_0040F2E5
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 2_2_100A15B7
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,_malloc,GetLocaleInfoA,MultiByteToWideChar,__freea, 2_2_100C1722
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoW_stat, 2_2_100C185D
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA, 2_2_100C1898
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA, 2_2_100AF9A8
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 2_2_100C19D5
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: GetLocaleInfoA, 2_2_100B41D3
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: GetLocaleInfoA, 2_2_100B658D
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 2_2_100B4721
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: _LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen, 2_2_100B6777
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 2_2_100B6A32
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 2_2_100B6A97
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 2_2_100B6AD3
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement, 2_2_100B4DB0
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\LogonUI.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Code function: 0_2_0040140E _memset,_memset,GetTempPathA,GetSystemTimeAsFileTime,GetSystemTimeAsFileTime,GetFileAttributesA,Sleep,GetSystemTimeAsFileTime,GetFileAttributesA, 0_2_0040140E
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Code function: 2_2_100C2CB1 __lock,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 2_2_100C2CB1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe Code function: 0_2_0040CBB5 GetStartupInfoA,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__amsg_exit,__setenvp,__amsg_exit,__cinit,__amsg_exit,__wincmdln, 0_2_0040CBB5
Source: C:\Users\user\AppData\Local\Temp\EAC3095771650_00000000\EacCleaner.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1417372 Sample: SecuriteInfo.com.Trojan.Mul... Startdate: 29/03/2024 Architecture: WINDOWS Score: 76 41 Antivirus / Scanner detection for submitted sample 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Machine Learning detection for sample 2->47 7 SecuriteInfo.com.Trojan.MulDrop6.20495.13505.14148.exe 9 2->7         started        10 LogonUI.exe 2->10         started        process3 file4 21 C:\Users\user\AppData\Local\...\vclnr.dll, PE32 7->21 dropped 23 C:\Users\user\AppData\Local\Temp\...\sfx.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\Local\...\setup.exe, PE32 7->25 dropped 27 C:\Users\user\AppData\...acCleaner.exe, PE32 7->27 dropped 12 setup.exe 13 7->12         started        process5 file6 29 C:\Program Files (x86)\...\vclnr.dll, PE32 12->29 dropped 31 C:\Program Files (x86)\...\sfx.exe, PE32 12->31 dropped 33 C:\Program Files (x86)\...\setup.exe, PE32 12->33 dropped 35 C:\Program Files (x86)\...acCleaner.exe, PE32 12->35 dropped 49 Contains functionality to compare user and computer (likely to detect sandboxes) 12->49 16 EacCleaner.exe 12->16         started        19 EacCleaner.exe 1 1 12->19         started        signatures7 process8 signatures9 37 Contains functionality to compare user and computer (likely to detect sandboxes) 16->37 39 Contains functionality to detect sleep reduction / modifications 16->39
No contacted IP infos