Windows Analysis Report
DiStem-0.9.10.exe

Overview

General Information

Sample name: DiStem-0.9.10.exe
Analysis ID: 1426763
MD5: b7ce9c421b63b546ed2ab4a85237347f
SHA1: 9628b349eb84055011555e1378f38923c5bff59d
SHA256: 34c2cb8faabda345e28fbd7d189da2d08d34209e30d39b355ec4e2ef44e59863
Infos:

Detection

Score: 8
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Signatures

Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: DiStem-0.9.10.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: DiStem-0.9.10.exe Static PE information: certificate valid
Source: DiStem-0.9.10.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: wininet.pdb source: DiStem-0.9.10.exe, 00000000.00000003.1324795841.0000000009432000.00000004.00000020.00020000.00000000.sdmp, shiAA8C.tmp.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ExternalUICleaner.pdb source: DiStem-0.9.10.exe, ExternalUICleaner.dll.0.dr, DiStem-0.9.10.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\InstallTrial.pdb2 source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, TrialBinaryComponent.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ExternalUICleaner.pdb7 source: DiStem-0.9.10.exe, ExternalUICleaner.dll.0.dr, DiStem-0.9.10.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr
Source: Binary string: wininet.pdbUGP source: DiStem-0.9.10.exe, 00000000.00000003.1324795841.0000000009432000.00000004.00000020.00020000.00000000.sdmp, shiAA8C.tmp.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\InstallTrial.pdb source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, TrialBinaryComponent.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: DiStem-0.9.10.exe, lzmaextractor.dll.0.dr, DiStem-0.9.10.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: DiStem-0.9.10.exe, MSIACD7.tmp.0.dr, MSIB037.tmp.0.dr, MSIB076.tmp.0.dr, MSIAC78.tmp.0.dr, DiStem-0.9.10.msi.0.dr, MSIABF8.tmp.0.dr, MSIAB79.tmp.0.dr, MSIAD94.tmp.0.dr, MSIAD45.tmp.0.dr, MSIB007.tmp.0.dr, MSIAC48.tmp.0.dr, MSIABD8.tmp.0.dr, MSIAB0A.tmp.0.dr, MSIADC4.tmp.0.dr, MSIAC28.tmp.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: DiStem-0.9.10.exe, DiStem-0.9.10.aiui.0.dr
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\SfxCA.pdb source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, DiRoots.CustomActions.0.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00A6E460 FindFirstFileW,GetLastError,FindClose, 0_2_00A6E460
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00A94060 FindFirstFileW,FindClose, 0_2_00A94060
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00A502F0 FindFirstFileW,FindNextFileW,FindClose, 0_2_00A502F0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00AA45D0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00AA45D0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00954AD0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW, 0_2_00954AD0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00AA4A50 FindFirstFileW,FindClose, 0_2_00AA4A50
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00A7CD70 FindFirstFileW,FindClose,FindClose, 0_2_00A7CD70
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00AB9950 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00AB9950
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00A6DB30 FindFirstFileW,FindFirstFileW,FindClose,FindClose, 0_2_00A6DB30
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00A99ED0 FindFirstFileW,FindClose,CloseHandle,CloseHandle, 0_2_00A99ED0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00AA3220 GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection, 0_2_00AA3220
Source: shiAA8C.tmp.0.dr String found in binary or memory: http://.css
Source: shiAA8C.tmp.0.dr String found in binary or memory: http://.jpg
Source: DiStem-0.9.10.exe, 00000000.00000002.2542527874.0000000004F7C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/
Source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, DiRoots.CustomActions.0.dr, DiStem-0.9.10.aiui.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: DiStem-0.9.10.exe, 00000000.00000002.2542527874.0000000004F7C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrusT
Source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, DiRoots.CustomActions.0.dr, DiStem-0.9.10.aiui.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, DiRoots.CustomActions.0.dr, DiStem-0.9.10.aiui.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, DiRoots.CustomActions.0.dr, DiStem-0.9.10.aiui.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: DiStem-0.9.10.exe, 00000000.00000002.2542527874.0000000004F7C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssur8
Source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, DiRoots.CustomActions.0.dr, DiStem-0.9.10.aiui.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, DiRoots.CustomActions.0.dr, DiStem-0.9.10.aiui.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, DiRoots.CustomActions.0.dr, DiStem-0.9.10.aiui.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: DiStem-0.9.10.aiui.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, DiRoots.CustomActions.0.dr, DiStem-0.9.10.aiui.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: shiAA8C.tmp.0.dr String found in binary or memory: http://html4/loose.dtd
Source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, DiRoots.CustomActions.0.dr, DiStem-0.9.10.aiui.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, DiRoots.CustomActions.0.dr, DiStem-0.9.10.aiui.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, DiRoots.CustomActions.0.dr, DiStem-0.9.10.aiui.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, DiRoots.CustomActions.0.dr, DiStem-0.9.10.aiui.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: DiStem-0.9.10.exe String found in binary or memory: http://schemas.micr
Source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, DiRoots.CustomActions.0.dr, DiStem-0.9.10.aiui.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: DiStem-0.9.10.exe, 00000000.00000002.2542527874.0000000004F56000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.github.com/repos/DiRoots-Limited/DiRoots.DiStem.Releases/releases
Source: DiStem-0.9.10.exe, 00000000.00000003.1319898874.0000000004F98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.github.com/repos/DiRoots-Limited/DiRoots.DiStem.Releases/releasesPbw
Source: DiStem-0.9.10.exe, 00000000.00000002.2542527874.0000000004F7C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://diroots.com/contact-us/
Source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr String found in binary or memory: https://diroots.com/privacy-policy/
Source: DiStem-0.9.10.exe, 00000000.00000002.2545254998.000000000A6AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://diroots.com/privacy-policy/0
Source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr String found in binary or memory: https://diroots.com/terms-and-conditions
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00A4A060 SendMessageW,GetParent,GetWindowRect,GetParent,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,MapWindowPoints,FillRect,DeleteDC,SendMessageW,SendMessageW, 0_2_00A4A060
Contains functionality to call native functions
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00A28250 GetSystemDirectoryW,LoadLibraryExW,NtdllDefWindowProc_W,GetSysColor, 0_2_00A28250
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00958FC0 KillTimer,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection, 0_2_00958FC0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00ABBB50 NtdllDefWindowProc_W, 0_2_00ABBB50
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00948480 NtdllDefWindowProc_W,GetSysColor, 0_2_00948480
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00A06490 NtdllDefWindowProc_W, 0_2_00A06490
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00952590 NtdllDefWindowProc_W, 0_2_00952590
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_0094A680 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow, 0_2_0094A680
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00952700 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W, 0_2_00952700
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_0095E9B0 NtdllDefWindowProc_W, 0_2_0095E9B0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_0096CD10 NtdllDefWindowProc_W, 0_2_0096CD10
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_0094AE70 NtdllDefWindowProc_W, 0_2_0094AE70
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_0094B4D0 NtdllDefWindowProc_W, 0_2_0094B4D0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_009B1610 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W, 0_2_009B1610
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00947600 GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,NtdllDefWindowProc_W,GetWindowTextLengthW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W, 0_2_00947600
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00947DD0 SysFreeString,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,GetWindowTextLengthW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,SysFreeString, 0_2_00947DD0
Detected potential crypto function
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00A76690 0_2_00A76690
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00A849E0 0_2_00A849E0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00A88A70 0_2_00A88A70
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00AD0BB0 0_2_00AD0BB0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00ACD210 0_2_00ACD210
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00AB3260 0_2_00AB3260
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00931490 0_2_00931490
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_0095F640 0_2_0095F640
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00ADA260 0_2_00ADA260
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00A744A0 0_2_00A744A0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00B5E48F 0_2_00B5E48F
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_0096E420 0_2_0096E420
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00966500 0_2_00966500
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00B4C680 0_2_00B4C680
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00962673 0_2_00962673
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00B1E8B0 0_2_00B1E8B0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00B548A3 0_2_00B548A3
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00A4A8C0 0_2_00A4A8C0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00972A20 0_2_00972A20
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_009B4B20 0_2_009B4B20
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00B44C9E 0_2_00B44C9E
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00952C40 0_2_00952C40
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00964D40 0_2_00964D40
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_0095AFE0 0_2_0095AFE0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_0095F0D0 0_2_0095F0D0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00AD1020 0_2_00AD1020
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00B4502C 0_2_00B4502C
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00933480 0_2_00933480
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00B254D0 0_2_00B254D0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00AC9620 0_2_00AC9620
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_0096F660 0_2_0096F660
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00ADD850 0_2_00ADD850
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00937AA0 0_2_00937AA0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00ABDCF0 0_2_00ABDCF0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00AD1DC0 0_2_00AD1DC0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_0095FEA0 0_2_0095FEA0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00A99ED0 0_2_00A99ED0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: String function: 00939300 appears 120 times
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: String function: 009387D0 appears 58 times
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: String function: 0093A840 appears 57 times
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: String function: 00954AD0 appears 35 times
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: String function: 0093AE80 appears 66 times
Sample file is different than original file name gathered from version info
Source: DiStem-0.9.10.exe Binary or memory string: OriginalFileName vs DiStem-0.9.10.exe
Source: DiStem-0.9.10.exe, 00000000.00000002.2544999209.000000000A61A000.00000002.00000001.00040000.00000024.sdmp Binary or memory string: OriginalFilenameDiRoots.CustomActions.dllL vs DiStem-0.9.10.exe
Source: DiStem-0.9.10.exe, 00000000.00000002.2544999209.000000000A61A000.00000002.00000001.00040000.00000024.sdmp Binary or memory string: OriginalFilenameSfxCA.dll\ vs DiStem-0.9.10.exe
Source: DiStem-0.9.10.exe, 00000000.00000002.2545254998.000000000A6F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAICustAct.dllF vs DiStem-0.9.10.exe
Source: DiStem-0.9.10.exe, 00000000.00000002.2544999209.000000000A370000.00000002.00000001.00040000.00000024.sdmp Binary or memory string: OriginalFilenamelzmaextractor.dllF vs DiStem-0.9.10.exe
Source: DiStem-0.9.10.exe, 00000000.00000002.2544999209.000000000A370000.00000002.00000001.00040000.00000024.sdmp Binary or memory string: OriginalFilenameAICustAct.dllF vs DiStem-0.9.10.exe
Source: DiStem-0.9.10.exe, 00000000.00000002.2544999209.000000000A370000.00000002.00000001.00040000.00000024.sdmp Binary or memory string: OriginalFilenamePrereq.dllF vs DiStem-0.9.10.exe
Source: DiStem-0.9.10.exe, 00000000.00000002.2544999209.000000000A370000.00000002.00000001.00040000.00000024.sdmp Binary or memory string: OriginalFilenameExternalUICleaner.dllF vs DiStem-0.9.10.exe
Source: DiStem-0.9.10.exe, 00000000.00000003.1324795841.0000000009432000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewininet.dllD vs DiStem-0.9.10.exe
Source: DiStem-0.9.10.exe Binary or memory string: OriginalFileNameDiStem-0.9.10.aiui. vs DiStem-0.9.10.exe
Source: DiStem-0.9.10.exe Binary or memory string: OriginalFilenamelzmaextractor.dllF vs DiStem-0.9.10.exe
Source: DiStem-0.9.10.exe Binary or memory string: OriginalFilenameAICustAct.dllF vs DiStem-0.9.10.exe
Source: DiStem-0.9.10.exe Binary or memory string: OriginalFilenamePrereq.dllF vs DiStem-0.9.10.exe
Source: DiStem-0.9.10.exe Binary or memory string: OriginalFilenameExternalUICleaner.dllF vs DiStem-0.9.10.exe
Source: DiStem-0.9.10.exe Binary or memory string: OriginalFilenameDiRoots.CustomActions.dllL vs DiStem-0.9.10.exe
Source: DiStem-0.9.10.exe Binary or memory string: OriginalFilenameSfxCA.dll\ vs DiStem-0.9.10.exe
Uses 32bit PE files
Source: DiStem-0.9.10.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: shiAA8C.tmp.0.dr Binary string: \Device\NameResTrk\RecordNrtCloneOpenPacket
Source: classification engine Classification label: clean8.winEXE@4/100@0/0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00A71850 FormatMessageW,GetLastError, 0_2_00A71850
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00AA5A20 GetDiskFreeSpaceExW, 0_2_00AA5A20
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_0093A700 LoadResource,LockResource,SizeofResource, 0_2_0093A700
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File created: C:\Users\user~1\AppData\Local\Temp\shiAA8C.tmp Jump to behavior
Source: DiStem-0.9.10.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: DiStem-0.9.10.exe, 00000000.00000002.2542527874.0000000004F7C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT `FileName`,`Version`,`State`,`File`.`Attributes`,`TempAttributes`,`File`,`FileSize`,`Language`,`Sequence`,`Directory_`,`Installed`,`Action`,`Component` FROM `File`,`Component` WHERE `Component`=`Component_` AND `Component_`=? AND `Directory_`=?;So
Source: DiStem-0.9.10.exe String found in binary or memory: ComboBoxListBoxListViewINSERT INTO `` (`Property`, `Order`, `Value`, `Text`,`Binary_`) VALUES (?,?,?,?,?) TEMPORARY` (`Property`, `Order`, `Value`, `Text`) VALUES (?,?,?,?) TEMPORARYSELECT * FROM `%s` WHERE `Property`='%s' AND `Value`='%s'SELECT * FROM `%s` WHERE `Property`='%s'EditSELECT `Message` FROM `Error` WHERE `Error` = %sSELECT `Text` FROM `UIText` WHERE `Key` = '%s'tmpALLUSERS = 1ALLUSERS = 2MSIINSTALLPERUSER = 1AI_PACKAGE_TYPE = "x64"AI_PACKAGE_TYPE = "Intel64"SELECT * FROM `Control` WHERE `Dialog_` = '%s' AND `Control` = '%s'SELECT `Attributes` FROM `Control` WHERE `Dialog_` = '%s' AND `Control` = '%s'$=3WS_BORDERWS_CAPTIONWS_CHILDWS_CHILDWINDOWWS_CLIPCHILDRENWS_CLIPSIBLINGSWS_DISABLEDWS_DLGFRAMEWS_GROUPWS_HSCROLLWS_ICONICWS_SIZEBOXWS_SYSMENUWS_TABSTOPWS_THICKFRAMEWS_VISIBLEWS_VSCROLLWS_MAXIMIZEBOXWS_MAXIMIZEWS_MINIMIZEBOXWS_MINIMIZEWS_OVERLAPPEDWINDOWWS_OVERLAPPEDWS_POPUPWINDOWWS_POPUPWS_TILEDWINDOWWS_TILEDWS_EX_ACCEPTFILESWS_EX_APPWINDOWWS_EX_CLIENTEDGEWS_EX_CONTEXTHELPWS_EX_CONTROLPARENTWS_EX_DLGMODALFRAMEWS_EX_LEFTWS_EX_LEFTSCROLLBARWS_EX_LTRREADINGWS_EX_MDICHILDWS_EX_NOPARENTNOTIFYWS_EX_OVERLAPPEDWINDOWWS_EX_PALETTEWINDOWWS_EX_RTLREADINGWS_EX_STATICEDGEWS_EX_TOOLWINDOWWS_EX_TOPMOSTWS_EX_TRANSPARENTWS_EX_WINDOWEDGEWS_EX_RIGHTSCROLLBARWS_EX_RIGHTWS_EX_LAYEREDWS_EX_NOACTIVATEWS_EX_NOINHERITLAYOUTWS_EX_LAYOUTRTLWS_EX_COMPOSITEDWS_EXAI_TRIAL_MESSAGE_BODYAI_MSM_TRIAL_MESSAGE_BODYAI_APP_FILEAI_README_FILEAI_APP_ARGSAI_RUN_AS_ADMINMsiLogFileLocation[ProgramFilesFolder][LocalAppDataFolder]Programs\[ProgramFiles64Folder][CommonFilesFolder][LocalAppDataFolder]Programs\Common\[CommonFiles64Folder][WindowsFolder][LocalAppDataFolder][SystemFolder][WindowsVolume][ProgramMenuFolder][DesktopFolder][StartupFolder][TemplateFolder][AdminToolsFolder][AI_UserProgramFiles][WindowsVolume]Program Files (x86)\[AI_ProgramFiles][WindowsVolume]Program Files\MIGRATEFindRelatedProductsMigrateFeatureStatesAI_SETMIXINSTLOCATIONAI_RESTORE_LOCATIONSELECT `ActionProperty` FROM `Upgrade``Action`='SET_APPDIR' OR `Action`='SET_SHORTCUTDIR'SET_APPDIRSET_SHORTCUTDIRSHORTCUTDIRProgramMenuFolderAI_SH_INITEDBrowseDlgCancelDlgDiskCostDlgExitDialogMsiRMFilesInUseOutOfDiskDlgOutOfRbDiskDlgDialog_Control_(`Control_` = 'Next' OR `Control_` = 'Install') AND `Event` = 'EndDialog' AND `Argument` = 'Return'ControlEventAI_INSTALLPERUSER = "0"ALLUSERSVersionMsi >= "5.0"2MSIINSTALLPERUSERAI_NEWINSTProductLanguageAI_INTANCE_LOCATIONAI_UPGRADEValuePropertyNoLanguageVersionStringInstallLocationAI_REPLACE_PRODUCTSAI_Replaced_Versions_ListAI_Upgrade_Replace_Question_YesBackUp_AI_Upgrade_Question_YesAI_Upgrade_Question_YesAI_Upgrade_Replace_Question_NoBackUp_AI_Upgrade_Question_NoAI_Upgrade_Question_NoYesDELETE FROM `Shortcut` WHERE `Shortcut`.`Directory_`='%s'DELETE FROM `IniFile` WHERE `IniFile`.`Section`='InternetShortcut' AND`IniFile`.`DirProperty`='%s'SELECT * FROM `%s`ShortcutIniFileAI_DESKTOP_SHAI_STARTMENU_SHAI_STARTUP_SHAI_SHORTCUTSREGNot InstalledDesktopFolderStartupFolderAI_SH_DI
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File read: C:\Users\user\Desktop\DiStem-0.9.10.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DiStem-0.9.10.exe "C:\Users\user\Desktop\DiStem-0.9.10.exe"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D4A075D37BC1D68A01BCA1EB71DE32A6 C
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D4A075D37BC1D68A01BCA1EB71DE32A6 C Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: davhlpr.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: lpk.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: Install
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: I agree with the Terms and Conditions and Privacy Policy.
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Automated click: Install
Source: DiStem-0.9.10.exe Static PE information: certificate valid
Source: DiStem-0.9.10.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: DiStem-0.9.10.exe Static file information: File size 91671328 > 1048576
Source: DiStem-0.9.10.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x298000
Source: DiStem-0.9.10.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: DiStem-0.9.10.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: DiStem-0.9.10.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: DiStem-0.9.10.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: DiStem-0.9.10.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: DiStem-0.9.10.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: DiStem-0.9.10.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: DiStem-0.9.10.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wininet.pdb source: DiStem-0.9.10.exe, 00000000.00000003.1324795841.0000000009432000.00000004.00000020.00020000.00000000.sdmp, shiAA8C.tmp.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ExternalUICleaner.pdb source: DiStem-0.9.10.exe, ExternalUICleaner.dll.0.dr, DiStem-0.9.10.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\InstallTrial.pdb2 source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, TrialBinaryComponent.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ExternalUICleaner.pdb7 source: DiStem-0.9.10.exe, ExternalUICleaner.dll.0.dr, DiStem-0.9.10.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr
Source: Binary string: wininet.pdbUGP source: DiStem-0.9.10.exe, 00000000.00000003.1324795841.0000000009432000.00000004.00000020.00020000.00000000.sdmp, shiAA8C.tmp.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\InstallTrial.pdb source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, TrialBinaryComponent.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: DiStem-0.9.10.exe, lzmaextractor.dll.0.dr, DiStem-0.9.10.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: DiStem-0.9.10.exe, MSIACD7.tmp.0.dr, MSIB037.tmp.0.dr, MSIB076.tmp.0.dr, MSIAC78.tmp.0.dr, DiStem-0.9.10.msi.0.dr, MSIABF8.tmp.0.dr, MSIAB79.tmp.0.dr, MSIAD94.tmp.0.dr, MSIAD45.tmp.0.dr, MSIB007.tmp.0.dr, MSIAC48.tmp.0.dr, MSIABD8.tmp.0.dr, MSIAB0A.tmp.0.dr, MSIADC4.tmp.0.dr, MSIAC28.tmp.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: DiStem-0.9.10.exe, DiStem-0.9.10.aiui.0.dr
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\SfxCA.pdb source: DiStem-0.9.10.exe, DiStem-0.9.10.msi.0.dr, DiRoots.CustomActions.0.dr
Source: DiStem-0.9.10.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: DiStem-0.9.10.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: DiStem-0.9.10.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: DiStem-0.9.10.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: DiStem-0.9.10.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains a suspicious time stamp
Source: shiAA8C.tmp.0.dr Static PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00A849E0 SHGetFolderPathW,GetSystemDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetModuleFileNameW,SHGetSpecialFolderLocation,LoadLibraryW,GetProcAddress,GetEnvironmentVariableW,SHGetPathFromIDListW,SHGetMalloc, 0_2_00A849E0
PE file contains an invalid checksum
Source: TrialBinaryComponent.0.dr Static PE information: real checksum: 0x42782 should be: 0x45951
PE file contains sections with non-standard names
Source: DiStem-0.9.10.exe Static PE information: section name: .didat
Source: DiStem-0.9.10.aiui.0.dr Static PE information: section name: .didat
Source: shiAA8C.tmp.0.dr Static PE information: section name: .wpp_sf
Source: shiAA8C.tmp.0.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00A4B220 push ecx; mov dword ptr [esp], 3F800000h 0_2_00A4B37F
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00B3D20E push ecx; ret 0_2_00B3D221
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_0094F3B0 push ecx; mov dword ptr [esp], ecx 0_2_0094F3B1
Drops PE files
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File created: C:\ProgramData\DiRoots, LDA\DiStem 0.9.10\install\DiStem-0.9.10.aiui Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File created: C:\Users\user\AppData\Local\Temp\MSIAB79.tmp Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\lzmaextractor.dll Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File created: C:\Users\user\AppData\Local\Temp\MSIAC28.tmp Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\TrialBinaryComponent Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\ExternalUICleaner.dll Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File created: C:\Users\user\AppData\Local\Temp\MSIAC78.tmp Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File created: C:\Users\user\AppData\Local\Temp\MSIAC48.tmp Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File created: C:\Users\user\AppData\Local\Temp\shiAA8C.tmp Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File created: C:\Users\user\AppData\Local\Temp\MSIABF8.tmp Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File created: C:\Users\user\AppData\Local\Temp\MSIB037.tmp Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\DiRoots.CustomActions Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File created: C:\Users\user\AppData\Local\Temp\MSIAD45.tmp Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File created: C:\Users\user\AppData\Local\Temp\MSIADC4.tmp Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File created: C:\Users\user\AppData\Local\Temp\MSIB007.tmp Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File created: C:\Users\user\AppData\Local\Temp\MSIABD8.tmp Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File created: C:\Users\user\AppData\Local\Temp\MSIB076.tmp Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File created: C:\Users\user\AppData\Local\Temp\MSIACD7.tmp Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File created: C:\Users\user\AppData\Local\Temp\MSIAB0A.tmp Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File created: C:\Users\user\AppData\Local\Temp\MSIAD94.tmp Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File created: C:\ProgramData\DiRoots, LDA\DiStem 0.9.10\install\DiStem-0.9.10.aiui Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File created: C:\ProgramData\DiRoots, LDA\DiStem 0.9.10\install\DiStem-0.9.10.aiui Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\DiRoots.CustomActions Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\TrialBinaryComponent Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Dropped PE file which has not been started: C:\ProgramData\DiRoots, LDA\DiStem 0.9.10\install\DiStem-0.9.10.aiui Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIAB79.tmp Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\lzmaextractor.dll Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIAC28.tmp Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\TrialBinaryComponent Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\ExternalUICleaner.dll Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIAC78.tmp Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIAC48.tmp Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiAA8C.tmp Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIABF8.tmp Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\DiRoots.CustomActions Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB037.tmp Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIAD45.tmp Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIADC4.tmp Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB007.tmp Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIABD8.tmp Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB076.tmp Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIAB0A.tmp Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIACD7.tmp Jump to dropped file
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIAD94.tmp Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File Volume queried: C:\ProgramData FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File Volume queried: C:\ProgramData\DiRoots, LDA\DiStem 0.9.10\install FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File Volume queried: C:\ProgramData\DiRoots, LDA\DiStem 0.9.10\install FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00A6E460 FindFirstFileW,GetLastError,FindClose, 0_2_00A6E460
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00A94060 FindFirstFileW,FindClose, 0_2_00A94060
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00A502F0 FindFirstFileW,FindNextFileW,FindClose, 0_2_00A502F0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00AA45D0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00AA45D0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00954AD0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW, 0_2_00954AD0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00AA4A50 FindFirstFileW,FindClose, 0_2_00AA4A50
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00A7CD70 FindFirstFileW,FindClose,FindClose, 0_2_00A7CD70
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00AB9950 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00AB9950
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00A6DB30 FindFirstFileW,FindFirstFileW,FindClose,FindClose, 0_2_00A6DB30
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00A99ED0 FindFirstFileW,FindClose,CloseHandle,CloseHandle, 0_2_00A99ED0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00AA3220 GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection, 0_2_00AA3220
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00B395C6 VirtualQuery,GetSystemInfo, 0_2_00B395C6
Source: DiStem-0.9.10.exe, 00000000.00000002.2545254998.000000000A6AA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Administrators
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00B416F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00B416F3
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00AA7750 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,OutputDebugStringW,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers, 0_2_00AA7750
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00A849E0 SHGetFolderPathW,GetSystemDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetModuleFileNameW,SHGetSpecialFolderLocation,LoadLibraryW,GetProcAddress,GetEnvironmentVariableW,SHGetPathFromIDListW,SHGetMalloc, 0_2_00A849E0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00B3C0ED mov esi, dword ptr fs:[00000030h] 0_2_00B3C0ED
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00B5668A mov eax, dword ptr fs:[00000030h] 0_2_00B5668A
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00B56646 mov eax, dword ptr fs:[00000030h] 0_2_00B56646
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00B47D54 mov ecx, dword ptr fs:[00000030h] 0_2_00B47D54
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00B3C159 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree, 0_2_00B3C159
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_009723A0 __set_se_translator,SetUnhandledExceptionFilter, 0_2_009723A0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00B3CBDE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00B3CBDE
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00975000 __set_se_translator,SetUnhandledExceptionFilter, 0_2_00975000
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00B416F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00B416F3
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00A6A020 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,FindCloseChangeNotification, 0_2_00A6A020
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: GetLocaleInfoW,GetLocaleInfoW, 0_2_00A9C2B0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\sys_close_down.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\sys_close_hot.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\sys_close_hot.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\sys_close_normal.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\sys_close_inactive.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\sys_min_down.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\sys_min_hot.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\sys_min_hot.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\sys_min_normal.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\sys_min_inactive.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_top_left.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_top_left_inactive.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_top_mid.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_top_mid_inactive.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_caption_datGray.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_caption_inactive.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_top_right.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_top_right_inactive.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_left.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_left_inactive.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_right.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_right_inactive.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_bottom_left.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_bottom_left_inactive.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_bottom_mid.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_bottom_mid_inactive.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_bottom_right.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\frame_bottom_right_inactive.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\PrepareDlgProgress.gif VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\PrepareDlgProgress.gif VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\backgroundprepareDarkGray.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\PluginLogo VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\nextcancelbuttons VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\browsebutton VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\backgroundDarkGray.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\backbutton VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\nextcancelbuttons VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\checkbox VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\metroinstallbuttonDarkOrange.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\PluginLogo VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\checkbox VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\checkbox VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7316\checkbox VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00AB48E0 CreateNamedPipeW,CreateFileW, 0_2_00AB48E0
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00B3D61E GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00B3D61E
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00AB3260 GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW,RegCloseKey,RegCloseKey,RegCloseKey,RegCloseKey,RegCloseKey, 0_2_00AB3260
Source: C:\Users\user\Desktop\DiStem-0.9.10.exe Code function: 0_2_00937AA0 GetVersionExW,GetVersionExW,IsProcessorFeaturePresent, 0_2_00937AA0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1426763 Sample: DiStem-0.9.10.exe Startdate: 16/04/2024 Architecture: WINDOWS Score: 8 5 DiStem-0.9.10.exe 115 2->5         started        8 msiexec.exe 2->8         started        file3 12 C:\Users\user\AppData\Local\...\shiAA8C.tmp, PE32+ 5->12 dropped 14 C:\Users\user\AppData\Local\...\MSIB076.tmp, PE32 5->14 dropped 16 C:\Users\user\AppData\Local\...\MSIB037.tmp, PE32 5->16 dropped 18 17 other files (none is malicious) 5->18 dropped 10 msiexec.exe 8->10         started        process4
No contacted IP infos