Windows Analysis Report
SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe

Overview

General Information

Sample name: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe
Analysis ID: 1417467
MD5: 064771a6f90221c6ec876e911deec4ee
SHA1: 9e2144222c329e30a39123ea12d2deb13514dd5a
SHA256: e78f923cf9bf871360810f9a9f1a108c14143c8e78d700633d328fde5b4bda33
Tags: exe
Infos:

Detection

Score: 1
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Drops PE files
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
Queries keyboard layouts
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files

Classification

Uses 32bit PE files
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe Static PE information: certificate valid
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp.0.dr String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp.0.dr String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp.0.dr String found in binary or memory: http://ocsp.digicert.com0H
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp.0.dr String found in binary or memory: http://ocsp.digicert.com0I
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp.0.dr String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe, 00000000.00000003.1722619759.0000000002450000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe, 00000000.00000003.1724827521.000000007FCB0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp, 00000001.00000000.1725643495.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp.0.dr String found in binary or memory: http://www.innosetup.com/
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe, 00000000.00000003.1722619759.0000000002450000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe, 00000000.00000003.1724827521.000000007FCB0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp, 00000001.00000000.1725643495.0000000000401000.00000020.00000001.01000000.00000004.sdmp, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp.0.dr String found in binary or memory: http://www.remobjects.com/ps
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe, 00000000.00000002.2966039533.00000000022DD000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp, 00000001.00000002.2966459087.00000000023AD000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.remosoftware.com
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe, 00000000.00000002.2966039533.00000000022E4000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp, 00000001.00000002.2966459087.00000000023B4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.remosoftware.com/support
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe, 00000000.00000003.1719711502.0000000002450000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp, 00000001.00000003.1726525407.0000000003350000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.remosoftware.comFhttp://www.remosoftware.com/support
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe, 00000000.00000002.2966039533.000000000228A000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe, 00000000.00000003.1719711502.0000000002450000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp, 00000001.00000002.2967278654.0000000007477000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp, 00000001.00000002.2966459087.0000000002314000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp, 00000001.00000003.1726525407.0000000003350000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.remo.one
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp, 00000001.00000003.1726525407.0000000003350000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.remorepair.com/store/buy-remo-repair-ppt.html?sc=rrppt-rrep-sit-bld
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp, 00000001.00000003.1726525407.0000000003350000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.remorepair.com/thank-you/successfully-installed.html?sc=rrppt-rrep-sit-bld
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp, 00000001.00000003.1726525407.0000000003350000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.remosoftware.com/activate/successfully-activated.php?
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp, 00000001.00000002.2966459087.00000000022AE000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.remosoftware.com/eula.html
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp, 00000001.00000003.1726525407.0000000003350000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.remosoftware.com/privacy.html
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe, 00000000.00000002.2966039533.000000000228A000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe, 00000000.00000003.1719711502.0000000002450000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp, 00000001.00000002.2965986801.00000000006B6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp, 00000001.00000002.2965986801.0000000000695000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp, 00000001.00000002.2966459087.0000000002314000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp, 00000001.00000003.1726525407.0000000003350000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.remosoftware.com/products
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp, 00000001.00000003.1726525407.0000000003350000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.remosoftware.com/renew
PE file contains executable resources (Code or Archives)
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe, 00000000.00000003.1724827521.000000007FE31000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe, 00000000.00000003.1722619759.00000000025D5000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: msftedit.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: globinputhost.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: windows.ui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: inputhost.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Section loaded: twinapi.appcore.dll Jump to behavior
Uses 32bit PE files
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engine Classification label: clean1.winEXE@3/2@0/0
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp File created: C:\Users\user\AppData\Local\Programs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Mutant created: \Sessions\1\BaseNamedObjects\remo_repair_ppt_2.0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe File created: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe String found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe "C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe Process created: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp "C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp" /SL5="$10426,7669476,573440,C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe Process created: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp "C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp" /SL5="$10426,7669476,573440,C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Window found: window name: TMainForm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe Static PE information: certificate valid
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe Static file information: File size 8148624 > 1048576
Source: SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe File created: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp File created: C:\Users\user\AppData\Local\Temp\is-VV91P.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-VV91P.tmp\_isetup\_setup64.tmp Jump to dropped file
Queries keyboard layouts
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-5EV83.tmp\SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1417467 Sample: SecuriteInfo.com.Program.Un... Startdate: 29/03/2024 Architecture: WINDOWS Score: 1 5 SecuriteInfo.com.Program.Unwanted.2855.15029.20928.exe 2 2->5         started        file3 11 SecuriteInfo.com.P...855.15029.20928.tmp, PE32 5->11 dropped 8 SecuriteInfo.com.Program.Unwanted.2855.15029.20928.tmp 4 10 5->8         started        process4 file5 13 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 8->13 dropped
No contacted IP infos