Windows Analysis Report
SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe

Overview

General Information

Sample name: SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe
Analysis ID: 1429056
MD5: 3267524dfd0402edc79dd8bc794f6b60
SHA1: ace93085f7ca737c26b46746c131198890b171a9
SHA256: c22beac6359f4a40b59d7d1770dd70610d85670466c86f5d95211c98ebac96ff
Tags: exe
Infos:

Detection

Score: 8
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Signatures

Checks for available system drives (often done to infect USB drives)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Binary string: C:\data\atr\Apex\pwdata\Debug\pwdata.pdb source: PWDATA.EXE.2.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_00410106 CreateEventA,GetProcAddress,SearchPathA,GetModuleFileNameA,FindFirstFileA,VirtualProtect,VirtualQuery,VirtualProtect,VirtualProtect,FindClose,FindClose, 0_2_00410106
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe File opened: C:\Users\user\AppData\Local\Temp\_isE74C.tmp Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe File opened: C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe File opened: C:\Users\user\ Jump to behavior
Source: pdqcom32.ocx.2.dr String found in binary or memory: http://crescent.progress.com.
Source: pdqcom32.ocx.2.dr String found in binary or memory: http://crescent.progress.com/
Source: pdqcom32.ocx.2.dr String found in binary or memory: http://crescent.progress.com/crescent/codedepot.html
Source: 622280.rbs.2.dr String found in binary or memory: http://www.apexedi.com
Source: SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe, ApexWin.msi.0.dr, 62227f.msi.2.dr String found in binary or memory: http://www.apexedi.comFile:
Source: aps102eng.exe.2.dr String found in binary or memory: http://www.installshield.com/pftw/
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_0040F733 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx, 0_2_0040F733
Creates files inside the system directory
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe File created: C:\Windows\Downloaded Installations Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe File created: C:\Windows\Downloaded Installations\{B5878C7F-DF01-43A0-9EE0-60D4127E7720} Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe File created: C:\Windows\Downloaded Installations\{B5878C7F-DF01-43A0-9EE0-60D4127E7720}\ApexWin.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\62227f.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{348DFD33-272D-4451-8968-31E94E81AE45} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI257D.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\comdlg32.ocx Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mscomctl.ocx Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\tabctl32.ocx Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_Controls_COMCATDLL_f0.3207D1B0_80E5_11D2_B95D_006097C4DE24 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_Vba_VbRuntime_f0.1E64E430_36E0_11D2_A794_0060089A724B Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_VC_CRT_f0.51D569E0_8A28_11D2_B962_006097C4DE24 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEPRO32_f0.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_STDOLE_f1.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEAUT32_f2.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEAUT32_f3.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\622281.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\622281.msi Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\622281.msi Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_00403A6F 0_2_00403A6F
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_00417C44 0_2_00417C44
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_0041D7A3 0_2_0041D7A3
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: String function: 00414644 appears 67 times
PE file contains executable resources (Code or Archives)
Source: ApexWin.exe.2.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
PE file does not import any functions
Source: msado25.tlb.2.dr Static PE information: No import functions for PE file found
Source: Global_System_STDOLE_f1.8C0C59A0_7DC8_11D2_B95D_006097C4DE24.2.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Binary or memory string: OriginalFilenameWEXTRACT.EXE x, vs SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe
Source: SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Binary or memory string: OriginalFilename_IsIcoRes.exeP vs SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe
Uses 32bit PE files
Source: SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: VB6.OLB.2.dr Binary or memory string: Specifies the path of the project .VBP file when running the application from the development environment or the path of the executable file when running the application as an executable file.WW
Source: classification engine Classification label: clean8.winEXE@8/83@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_0040F733 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx, 0_2_0040F733
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_0040EF4B LoadLibraryA,GetProcAddress,lstrcpyA,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,FreeLibrary, 0_2_0040EF4B
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_00404740 GetPrivateProfileIntA,CoCreateInstance,wsprintfA,StringFromCLSID,SysAllocString,CoTaskMemFree,lstrlenW,lstrlenW,wsprintfA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,CoCreateGuid,lstrcatA,StringFromCLSID,SysAllocString,CoTaskMemFree,lstrlenW,lstrcatA,CreateProcessA,SysFreeString,lstrlenW,wsprintfA,WaitForInputIdle,CloseHandle,CloseHandle,CloseHandle,Sleep,CreateItemMoniker,GetRunningObjectTable,SysFreeString,RegCloseKey,RegCloseKey,RegCloseKey,SysFreeString, 0_2_00404740
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_004044FB FindResourceA,SizeofResource,LoadResource,LockResource, 0_2_004044FB
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ApexWin Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Microsoft\CML279F.tmp Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe File created: C:\Users\user\AppData\Local\Temp\~CB76.tmp Jump to behavior
Source: SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe File read: C:\Users\user\AppData\Local\Temp\_isE74C\_ISMSIDEL.INI Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe "C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Process created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i "C:\Windows\Downloaded Installations\{B5878C7F-DF01-43A0-9EE0-60D4127E7720}\ApexWin.msi" SETUPEXEDIR="C:\Users\user\Desktop"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BDB44787BAEFCB4E5F2923A34628155A C
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A892F398EEF8C393BFA3B4244973CB46
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Process created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i "C:\Windows\Downloaded Installations\{B5878C7F-DF01-43A0-9EE0-60D4127E7720}\ApexWin.msi" SETUPEXEDIR="C:\Users\user\Desktop" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BDB44787BAEFCB4E5F2923A34628155A C Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A892F398EEF8C393BFA3B4244973CB46 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sxs.dll Jump to behavior
Source: ApexWin.lnk.2.dr LNK file: ..\..\..\..\Installer\{348DFD33-272D-4451-8968-31E94E81AE45}\New_Shortcut_S3855_1.exe
Source: ApexWin Claims.lnk.2.dr LNK file: ..\AppData\Roaming\Microsoft\Installer\{348DFD33-272D-4451-8968-31E94E81AE45}\New_Shortcut_S2054_1.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe File written: C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Install
Source: Window Recorder Window detected: More than 3 window changes detected
Source: SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Static file information: File size 10577307 > 1048576
Source: Binary string: C:\data\atr\Apex\pwdata\Debug\pwdata.pdb source: PWDATA.EXE.2.dr
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_00409EC8 GetPrivateProfileIntA,GetPrivateProfileStringA,LoadLibraryA,GetProcAddress,FreeLibrary,lstrcpyA,lstrcpyA,lstrcpyA,wsprintfA,lstrcmpA,CopyFileA,GetLastError,wsprintfA,lstrcatA,wsprintfA,MessageBoxA,MoveFileA,lstrcatA,CopyFileA, 0_2_00409EC8
PE file contains sections with non-standard names
Source: Global_Vba_VbRuntime_f0.1E64E430_36E0_11D2_A794_0060089A724B.2.dr Static PE information: section name: ENGINE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_00414820 push eax; ret 0_2_0041484E
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_00414644 push eax; ret 0_2_00414662
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\tabctl32.ocx Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ApexWin\ECP.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\comdlg32.ocx Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ApexWin\PWECP.EXE Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ApexWin\ApexWin.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ApexWin\dclient.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ApexWin\scrrun.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ApexWin\ICONLIB.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ApexWin\Extra\data9.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ApexWin\Pdqtapi.ocx Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ApexWin\data.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEAUT32_f3.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ApexWin\Spool\aps102eng.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ApexWin\Extra\pwmon.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ApexWin\Extra\ALTAFORM.EXE Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ApexWin\msado25.tlb Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_Vba_VbRuntime_f0.1E64E430_36E0_11D2_A794_0060089A724B Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEPRO32_f0.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ApexWin\PSMON.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ApexWin\pdqcom32.ocx Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIF7E5.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ApexWin\PSCRIPT.DRV Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Installer\{348DFD33-272D-4451-8968-31E94E81AE45}\New_Shortcut_S3855_1.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_Controls_COMCATDLL_f0.3207D1B0_80E5_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_STDOLE_f1.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEAUT32_f2.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIF834.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ApexWin\PKZIP25.EXE Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Installer\{348DFD33-272D-4451-8968-31E94E81AE45}\New_Shortcut_S2054_1.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ApexWin\PREPECF.EXE Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mscomctl.ocx Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ApexWin\Extra\PWDATA.EXE Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_VC_CRT_f0.51D569E0_8A28_11D2_B962_006097C4DE24 Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\tabctl32.ocx Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\comdlg32.ocx Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_Controls_COMCATDLL_f0.3207D1B0_80E5_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_STDOLE_f1.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEAUT32_f2.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEAUT32_f3.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_Vba_VbRuntime_f0.1E64E430_36E0_11D2_A794_0060089A724B Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mscomctl.ocx Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEPRO32_f0.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_VC_CRT_f0.51D569E0_8A28_11D2_B962_006097C4DE24 Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_Controls_COMCATDLL_f0.3207D1B0_80E5_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_Vba_VbRuntime_f0.1E64E430_36E0_11D2_A794_0060089A724B Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_VC_CRT_f0.51D569E0_8A28_11D2_B962_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEPRO32_f0.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_STDOLE_f1.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEAUT32_f2.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEAUT32_f3.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\ApexWin\PSCRIPT.DRV Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_00409106 GetTempPathA,GetWindowsDirectoryA,GetPrivateProfileStringA,wsprintfA, 0_2_00409106
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_004019D5 GetPrivateProfileStringA,GetPrivateProfileStringA,lstrlenA,GetPrivateProfileStringA,lstrlenA,GetPrivateProfileStringA,lstrlenA,GetPrivateProfileStringA,lstrlenA,lstrcmpiA,GetPrivateProfileStringA,lstrlenA,GetPrivateProfileStringA,ExpandEnvironmentStringsA,lstrcpyA,GetPrivateProfileIntA, 0_2_004019D5
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_0040D9BB GetPrivateProfileIntA,wsprintfA,CharNextA,CharNextA,CharNextA,GetPrivateProfileStringA, 0_2_0040D9BB
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_00406B4C GetPrivateProfileStringA, 0_2_00406B4C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_00407353 __EH_prolog,GetPrivateProfileStringA,GetPrivateProfileStringA,wsprintfA,GetPrivateProfileStringA,wsprintfA,SendMessageA,SendMessageA,MessageBoxA,GetDlgItem,SendMessageA,SendMessageA,lstrcatA,wsprintfA,lstrcatA,wsprintfA,RegQueryValueExA,SetCurrentDirectoryA,RegCloseKey,GetPrivateProfileStringA,lstrcatA,lstrcmpA,lstrcmpA,lstrcmpA,KiUserCallbackDispatcher, 0_2_00407353
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_004013EE GetPrivateProfileStringA,lstrlenA, 0_2_004013EE
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_00406B93 GetPrivateProfileIntA, 0_2_00406B93
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_00407C0F __EH_prolog,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetModuleFileNameA,lstrlenA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,CoInitialize,SysFreeString,GetPrivateProfileStringA,SysFreeString,SysFreeString,CoUninitialize, 0_2_00407C0F
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_00409437 __EH_prolog,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,CoInitialize,GetPrivateProfileStringA,lstrlenW,WideCharToMultiByte,SysFreeString,SysFreeString,CoUninitialize, 0_2_00409437
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_0040D487 GetPrivateProfileIntA,wsprintfA,wsprintfA,GetPrivateProfileStringA,wsprintfA, 0_2_0040D487
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_0040A5A2 __EH_prolog,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,wsprintfA,lstrlenW,WideCharToMultiByte, 0_2_0040A5A2
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_00409EC8 GetPrivateProfileIntA,GetPrivateProfileStringA,LoadLibraryA,GetProcAddress,FreeLibrary,lstrcpyA,lstrcpyA,lstrcpyA,wsprintfA,lstrcmpA,CopyFileA,GetLastError,wsprintfA,lstrcatA,wsprintfA,MessageBoxA,MoveFileA,lstrcatA,CopyFileA, 0_2_00409EC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_0040CEDB __EH_prolog,lstrcpyA,IsValidCodePage,GetPrivateProfileIntA,lstrlenA,lstrlenA,lstrlenA,wsprintfA, 0_2_0040CEDB
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_004096DF GetPrivateProfileIntA,GetPrivateProfileStringA,lstrcpyA, 0_2_004096DF
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_004081BC __EH_prolog,CopyFileA,SetFileAttributesA,wsprintfA,lstrcatA,lstrcatA,CopyFileA,lstrcpyA,GetPrivateProfileIntA,lstrcpyA,lstrcpyA,wsprintfA,wsprintfA,lstrcatA,wsprintfA,wsprintfA,lstrcpyA,GetModuleFileNameA,wsprintfA,lstrcatA,RegCreateKeyExA,RegCloseKey,lstrlenA,CoInitialize,lstrlenW,WideCharToMultiByte,lstrlenA,RegSetValueExA,lstrlenW,WideCharToMultiByte,lstrlenA,RegSetValueExA,lstrlenW,WideCharToMultiByte,lstrlenA,RegSetValueExA,RegCloseKey,lstrlenW,WideCharToMultiByte,lstrlenA,RegSetValueExA,RegCloseKey,CoUninitialize,lstrlenA,RegSetValueExA,RegCloseKey,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,RegCloseKey, 0_2_004081BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_004052F6 __EH_prolog,CharNextA,CharNextA,CharNextA,lstrcpyA,GetPrivateProfileIntA,wsprintfA,GetPrivateProfileStringA, 0_2_004052F6
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_00409BB0 wsprintfA,GetPrivateProfileStringA,lstrcmpA, 0_2_00409BB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_00406BBB wsprintfA,GetPrivateProfileStringA, 0_2_00406BBB
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_00406C9C lstrcatA,GetPrivateProfileStringA, 0_2_00406C9C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_0040A51C GetPrivateProfileIntA,wsprintfA,RegCreateKeyExA,RegDeleteKeyA,RegCloseKey, 0_2_0040A51C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_0040FDD6 wsprintfA,wsprintfA,CharNextA,CharNextA,CharNextA,lstrcatA,wsprintfA,GetPrivateProfileStringA,VerLanguageNameA, 0_2_0040FDD6
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_00404E21 CharNextA,CharNextA,CharNextA,lstrcpyA,GetPrivateProfileStringA,CharNextA,CharNextA,CharNextA,CharNextA,CharNextA,CharNextA,CharNextA,CharNextA,lstrcpyA,CharNextA,CharNextA,CharNextA,CharNextA,CharNextA,CharNextA,CharNextA,CharNextA,lstrcpyA,CharNextA,CharNextA,CharNextA,CharNextA,lstrcpyA,CharNextA,CharNextA,CharNextA,CharNextA,CharNextA,CharNextA,lstrcpyA,CharNextA,lstrcpyA,lstrcpyA,CharNextA, 0_2_00404E21
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_00408ECE GetPrivateProfileStringA,GetPrivateProfileSectionA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_00408ECE
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_00404740 GetPrivateProfileIntA,CoCreateInstance,wsprintfA,StringFromCLSID,SysAllocString,CoTaskMemFree,lstrlenW,lstrlenW,wsprintfA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,CoCreateGuid,lstrcatA,StringFromCLSID,SysAllocString,CoTaskMemFree,lstrlenW,lstrcatA,CreateProcessA,SysFreeString,lstrlenW,wsprintfA,WaitForInputIdle,CloseHandle,CloseHandle,CloseHandle,Sleep,CreateItemMoniker,GetRunningObjectTable,SysFreeString,RegCloseKey,RegCloseKey,RegCloseKey,SysFreeString, 0_2_00404740
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_0040A779 GetPrivateProfileStringA,GetPrivateProfileIntA, 0_2_0040A779
Stores files to the Windows start menu directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Apex EDI Inc Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Apex EDI Inc\ApexWin.lnk Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_0040FF30 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0040FF30
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\tabctl32.ocx Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\ECP.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\PWECP.EXE Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\comdlg32.ocx Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\ApexWin.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\scrrun.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\ICONLIB.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\dclient.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\Extra\data9.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\Pdqtapi.ocx Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\data.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\Spool\aps102eng.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEAUT32_f3.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\Extra\pwmon.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\Extra\ALTAFORM.EXE Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\msado25.tlb Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_Vba_VbRuntime_f0.1E64E430_36E0_11D2_A794_0060089A724B Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEPRO32_f0.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\PSMON.DLL Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\pdqcom32.ocx Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF7E5.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\PSCRIPT.DRV Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Installer\{348DFD33-272D-4451-8968-31E94E81AE45}\New_Shortcut_S3855_1.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_Controls_COMCATDLL_f0.3207D1B0_80E5_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_OLEAUT32_f2.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_System_STDOLE_f1.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF834.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\PKZIP25.EXE Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Installer\{348DFD33-272D-4451-8968-31E94E81AE45}\New_Shortcut_S2054_1.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\PREPECF.EXE Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\mscomctl.ocx Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\ApexWin\Extra\PWDATA.EXE Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-2246122658-3693405117-2476756634-1002\33DFD843D27215449886139EE418EA54\7.1.0\Global_VC_CRT_f0.51D569E0_8A28_11D2_B962_006097C4DE24 Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_00410106 CreateEventA,GetProcAddress,SearchPathA,GetModuleFileNameA,FindFirstFileA,VirtualProtect,VirtualQuery,VirtualProtect,VirtualProtect,FindClose,FindClose, 0_2_00410106
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_0040BE0A GetVersionExA,GetSystemInfo, 0_2_0040BE0A
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe File opened: C:\Users\user\AppData\Local\Temp\_isE74C.tmp Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe File opened: C:\Users\user\AppData\Local\Temp\_isE74C\Setup.INI Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_00409EC8 GetPrivateProfileIntA,GetPrivateProfileStringA,LoadLibraryA,GetProcAddress,FreeLibrary,lstrcpyA,lstrcpyA,lstrcpyA,wsprintfA,lstrcmpA,CopyFileA,GetLastError,wsprintfA,lstrcatA,wsprintfA,MessageBoxA,MoveFileA,lstrcatA,CopyFileA, 0_2_00409EC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_00418923 SetUnhandledExceptionFilter, 0_2_00418923
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_00418935 SetUnhandledExceptionFilter, 0_2_00418935
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_0040F808 GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid, 0_2_0040F808
Source: SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Binary or memory string: Shell_TrayWndArialCANCELDescriptionMSlovenianBasque%xDefault%#04xTitle.iniNoSuppressRebootKeyDotNetOptionalInstallIfSilentDotNetOptionalSETUPEXEDIRCertKeyISScript.MsiCacheFolderCacheRootLocationTypeScriptVerServicePackPlatformIdBuildNoMinorVerMaxMinorVerMajorVerSupportOSProductCodeSuppressWrongOSSuppressRebootSoftware\Microsoft\Active Setup\Installed Components\%s{1C370964-514B-321C-7237-2B4FD86D8568}{021122EA-49DC-4aeb-9D15-DCEAD9BAB1BC}{7E76A8D6-33D1-0032-16C3-4593092861D0}{E7E2C871-090A-C372-F9AE-C3C6A988D260}{F1B13231-13BE-1231-5401-486BA763DEB6}{6741C120-01BA-87F9-8734-5FB9DA8A4445}{F279058C-50B2-4BE4-60C9-369CACF06821}{78705f0d-e8db-4b2d-8193-982bdda15ecd}{9B29D757-088E-E8C9-2535-AA319B92C00A},.VersionISSCHEDULEREBOOT=1 ISSCHEDULEREBOOT=1InstallerLocationSoftware\Microsoft\Windows\CurrentVersion\InstallerMicrosoft(R) .NET Framework /l%d /q:a /c:"install /q"dotnetredistSp1.exedotnetredist.exedotnetfx.exe
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: GetLocaleInfoA,TranslateCharsetInfo, 0_2_0040F92E
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: GetLocaleInfoA, 0_2_0040F98B
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe Code function: 0_2_0041586F EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA, 0_2_0041586F
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1429056 Sample: SecuriteInfo.com.BScope.Tro... Startdate: 20/04/2024 Architecture: WINDOWS Score: 8 5 msiexec.exe 501 112 2->5         started        8 SecuriteInfo.com.BScope.TrojanDropper.VB.14010.24078.exe 18 2->8         started        file3 17 C:\Windows\SysWOW64\tabctl32.ocx, PE32 5->17 dropped 19 C:\Windows\SysWOW64\mscomctl.ocx, PE32 5->19 dropped 21 C:\Windows\SysWOW64\comdlg32.ocx, PE32 5->21 dropped 23 28 other files (none is malicious) 5->23 dropped 10 msiexec.exe 5->10         started        12 msiexec.exe 40 5->12         started        14 msiexec.exe 5 8->14         started        process4 file5 25 C:\Users\user\AppData\Local\...\MSIF834.tmp, PE32 14->25 dropped 27 C:\Users\user\AppData\Local\...\MSIF7E5.tmp, PE32 14->27 dropped
No contacted IP infos