Windows Analysis Report
SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Overview

General Information

Sample name:	SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe
Analysis ID:	1430330
MD5:	61144b1d8168af54da7f364640019e2c
SHA1:	091838658ea6001e64291d5541508bbb7b42f77e
SHA256:	9cfe6496621b2695f95bfabfe9baab9f167a168dd633d3c9271f86d168699cdd
Tags:	exe
Infos:

Detection

Score:	42
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to detect sleep reduction / modifications

Query firmware table information (likely to detect VMs)

Adds / modifies Windows certificates

Checks for available system drives (often done to infect USB drives)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May check if the current machine is a sandbox (GetTickCount - Sleep)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

ReversingLabs: Detection: 13%

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Uses 32bit PE files

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: F:\work\dtl_dep\utility\company_lib\core\softconfig\build\abroad\Release\softconfig.pdb source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3422603402.000000006D1BD000.00000002.00000001.01000000.00000007.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, softconfig.dll.0.dr
Source:	Binary string: F:\DTL6\dtl_install\project\DTLInstaller_duilib\Release_NU\DTLInstaller_NU.pdb source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: f:\work\code\svn_108\dtl_dep\utility\company_lib\core\substat\project\Release_en\substat.pdb M source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3423045526.000000006E86D000.00000002.00000001.01000000.00000006.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.0000000004495000.00000004.00000020.00020000.00000000.sdmp, substat.dll.0.dr
Source:	Binary string: \DTInstUI\bulid\Release\DTInstUI.pdb source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3422917435.000000006D2BA000.00000002.00000001.01000000.00000005.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.0000000004169000.00000004.00000020.00020000.00000000.sdmp, DTInstUI.dll.0.dr
Source:	Binary string: D:\tunk_dtl_dep\utility\company_lib\core\pcid\build\base\Release\pcid.pdb source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, pcid.dll.0.dr
Source:	Binary string: f:\work\code\svn_108\dtl_dep\utility\company_lib\core\substat\project\Release_en\substat.pdb source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3423045526.000000006E86D000.00000002.00000001.01000000.00000006.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.0000000004495000.00000004.00000020.00020000.00000000.sdmp, substat.dll.0.dr

Checks for available system drives (often done to infect USB drives)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: e:	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E2C521 FindFirstFileW,GetFullPathNameW,SetLastError,lstrlenW,_wcsrchr,_wcsrchr,

0_2_00E2C521

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E22BD5 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,_memset,PathAddBackslashW,QueryDosDeviceW,PathAddBackslashW,PathAddBackslashW,

0_2_00E22BD5

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

UDP traffic: 192.168.2.6:60599 -> 209.58.131.173:3800

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: dispatch.integrate.drivethelife.com

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: http://bbs.160.com/forum-66-1.html
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bbs.160.com/forum-66-1.html0
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.000000000097F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabjA
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.000000000097F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en0
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: http://install.integrate.drivethelife.com/common/IntegrateInstallStat.ashx
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://install.integrate.drivethelife.com/common/IntegrateInstallStat.ashx.
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: http://int.softconfig.drivethelife.com/server.ashx?type=%d
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3422603402.000000006D1BD000.00000002.00000001.01000000.00000007.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, softconfig.dll.0.dr	String found in binary or memory: http://int.softconfig.drivethelife.com/server.ashx?type=%dhttp://int.updrv.com/dtl/server.ashx?type=
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: http://int.updrv.com/common/IntegrateUnInstallStat.ashx
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: http://int.updrv.com/dtl/server.ashx?type=%d
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: http://sf.symcd.com0&
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: http://www.drivethelife.com/
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.drivethelife.com/D
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: http://www.drivethelife.com/EULA.html
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3422603402.000000006D1BD000.00000002.00000001.01000000.00000007.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, softconfig.dll.0.dr	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3422603402.000000006D1BD000.00000002.00000001.01000000.00000007.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, softconfig.dll.0.dr	String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: http://www.ostoto.com/licence/EULA-for-OSToto-Driver-Talent.html
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ostoto.com/licence/EULA-for-OSToto-Driver-Talent.html3
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: http://www.ostoto.com/web/install/%d/1
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ostoto.com/web/install/%d/1d?/
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: http://www.ostoto.com/web/uninstall/%d/1
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3422603402.000000006D1BD000.00000002.00000001.01000000.00000007.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, softconfig.dll.0.dr	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.sy
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: https://d.symcb.com/rpa0

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E28968 ExitWindowsEx,

0_2_00E28968

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E486A0	0_2_00E486A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E24712	0_2_00E24712
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E3187C	0_2_00E3187C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E720D9	0_2_00E720D9
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E33145	0_2_00E33145
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E652E7	0_2_00E652E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E5C2C0	0_2_00E5C2C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E692AF	0_2_00E692AF
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E6E290	0_2_00E6E290
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E3320D	0_2_00E3320D
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E5E3DD	0_2_00E5E3DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E4A4D0	0_2_00E4A4D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E54496	0_2_00E54496
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E47460	0_2_00E47460
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E645A6	0_2_00E645A6
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E3F6B3	0_2_00E3F6B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E687CF	0_2_00E687CF
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E4B726	0_2_00E4B726
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E6571C	0_2_00E6571C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E408C7	0_2_00E408C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E6B8CC	0_2_00E6B8CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E7089E	0_2_00E7089E
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E2782D	0_2_00E2782D
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E51AF0	0_2_00E51AF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E64A9A	0_2_00E64A9A
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E4CA00	0_2_00E4CA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E47BE0	0_2_00E47BE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E33BDD	0_2_00E33BDD
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E46CF0	0_2_00E46CF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E48CF1	0_2_00E48CF1
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E48C50	0_2_00E48C50
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E45DC0	0_2_00E45DC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E32D86	0_2_00E32D86
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E68D3F	0_2_00E68D3F

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: String function: 00E4E0C0 appears 55 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: String function: 00E2D9AF appears 37 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: String function: 00E2E753 appears 41 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: String function: 00E56770 appears 54 times

PE file contains executable resources (Code or Archives)

Source: DTInstUI.dll.0.dr

Static PE information: Resource name: ZIP type: Zip archive data, at least v1.0 to extract, compression method=store

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.0000000004495000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesubstat.dll, vs SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3423076833.000000006E877000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamesubstat.dll, vs SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Uses 32bit PE files

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: substat.dll.0.dr	Binary string: %d IsWow64Processkernel32GetSystemFirmwareTablekernel32.dllROOT\WMIMSSMBios_RawSMBiosTablesSmbiosMajorVersionSmbiosMinorVersionSMBiosData\device\physicalmemoryntdll.dllZwOpenSectionZwMapViewOfSectionZwUnmapViewOfSectionZwCloseH
Source: pcid.dll.0.dr	Binary string: PCI{1A3E09BE-1E45-494B-9174-D7385B45BBF5}\\.\#{ad498944-762f-11d0-8dcb-00c04fc3358c}maclen[%d]CPCIDCalculator::CalculatePCID..\..\project\src\PCIDCalculator.cppcpulen[%d]bioslen[%d]GetDiskEx drive[%d] ret[%d]GetDisk drive[%d] ret[%d]disklen[%d][%d]:[%2x]GetSystemFirmwareTablekernel32.dllROOT\WMIMSSMBios_RawSMBiosTablesSmbiosMajorVersionSmbiosMinorVersionSMBiosData\device\physicalmemoryntdll.dllZwOpenSectionZwMapViewOfSectionZwUnmapViewOfSectionZwClosevector<T> too longm_cAssetTagNumber:%d

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3422603402.000000006D1BD000.00000002.00000001.01000000.00000007.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, softconfig.dll.0.dr

Binary or memory string: ...Slnt

Source: classification engine

Classification label: mal42.evad.winEXE@1/16@4/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E3FC89 GetLastError,FormatMessageA,

0_2_00E3FC89

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E229D4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,

0_2_00E229D4

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E27203 __EH_prolog3_catch_GS,FindWindowW,PostMessageW,CreateToolhelp32Snapshot,

0_2_00E27203

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E2C69C FindResourceW,LoadResource,

0_2_00E2C69C

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E2111A OpenSCManagerW,OpenServiceW,QueryServiceStatusEx,QueryServiceStatusEx,StartServiceW,QueryServiceStatusEx,

0_2_00E2111A

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\{A043B702-166A-4FB8-9733-E2BC4713F36F}33

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

File created: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Command line argument: DAR0	0_2_00E21F35
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Command line argument: DAR	0_2_00E21F35
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Command line argument: DAR2	0_2_00E21F35
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Command line argument: global_app_id	0_2_00E21F35
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Command line argument: InstallPath	0_2_00E21F35
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Command line argument: DTLSE_OnInstall	0_2_00E21F35
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Command line argument: ~&	0_2_00E625D0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

File read: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\English.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

ReversingLabs: Detection: 13%

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: <soft><softid>%d</softid><name>%s</name><describe>%s</describe><url>%s</url><checked>%d</checked> <installparam>%s</installpar
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: Khttp://install.integrate.drivethelife.com/common/IntegrateInstallStat.ashx
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: -start
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: 'http://www.ostoto.com/web/install/%d/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

File written: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\Armenian.ini

Jump to behavior

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Static file information: File size 12960432 > 1048576

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xc21e00

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: F:\work\dtl_dep\utility\company_lib\core\softconfig\build\abroad\Release\softconfig.pdb source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3422603402.000000006D1BD000.00000002.00000001.01000000.00000007.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, softconfig.dll.0.dr
Source:	Binary string: F:\DTL6\dtl_install\project\DTLInstaller_duilib\Release_NU\DTLInstaller_NU.pdb source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: f:\work\code\svn_108\dtl_dep\utility\company_lib\core\substat\project\Release_en\substat.pdb M source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3423045526.000000006E86D000.00000002.00000001.01000000.00000006.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.0000000004495000.00000004.00000020.00020000.00000000.sdmp, substat.dll.0.dr
Source:	Binary string: \DTInstUI\bulid\Release\DTInstUI.pdb source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3422917435.000000006D2BA000.00000002.00000001.01000000.00000005.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.0000000004169000.00000004.00000020.00020000.00000000.sdmp, DTInstUI.dll.0.dr
Source:	Binary string: D:\tunk_dtl_dep\utility\company_lib\core\pcid\build\base\Release\pcid.pdb source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, pcid.dll.0.dr
Source:	Binary string: f:\work\code\svn_108\dtl_dep\utility\company_lib\core\substat\project\Release_en\substat.pdb source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3423045526.000000006E86D000.00000002.00000001.01000000.00000006.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.0000000004495000.00000004.00000020.00020000.00000000.sdmp, substat.dll.0.dr

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_01ACE930 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_01ACE930

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E4F47C push ecx; ret	0_2_00E4F48F
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E567B5 push ecx; ret	0_2_00E567C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E58728 push edx; ret	0_2_00E58729

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File created: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\DTInstUI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File created: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\pcid.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File created: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\substat.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File created: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\softconfig.dll	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E2111A OpenSCManagerW,OpenServiceW,QueryServiceStatusEx,QueryServiceStatusEx,StartServiceW,QueryServiceStatusEx,

0_2_00E2111A

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E54496 __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00E54496

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E21094

0_2_00E21094

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	System information queried: FirmwareTableInformation			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\DTInstUI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\pcid.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\substat.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\softconfig.dll	Jump to dropped file

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

API coverage: 8.5 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E21094

0_2_00E21094

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E2C521 FindFirstFileW,GetFullPathNameW,SetLastError,lstrlenW,_wcsrchr,_wcsrchr,

0_2_00E2C521

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E22BD5 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,_memset,PathAddBackslashW,QueryDosDeviceW,PathAddBackslashW,PathAddBackslashW,

0_2_00E22BD5

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.00000000008EE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E671A1 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_00E671A1

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E2764D _memset,SHGetSpecialFolderPathW,_memset,__swprintf,OutputDebugStringW,OutputDebugStringW,_memset,GetLastError,__swprintf,OutputDebugStringW,SetEnvironmentVariableW,_memset,GetLastError,__swprintf,OutputDebugStringW,

0_2_00E2764D

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_01ACE930 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_01ACE930

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E74433 GetProcessHeap,

0_2_00E74433

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E58BC7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00E58BC7
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E58BA4 SetUnhandledExceptionFilter,		0_2_00E58BA4

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E21E30 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexW,GetLastError,FindWindowW,SwitchToThisWindow,

0_2_00E21E30

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E547A7 cpuid

0_2_00E547A7

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: GetLocaleInfoW,	0_2_00E6702D
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,	0_2_00E63248
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeW,_memmove,_memmove,_memmove,InterlockedDecrement,InterlockedDecrement,	0_2_00E6420E
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,GetLocaleInfoW,	0_2_00E663B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__calloc_crt,__invoke_watson,	0_2_00E5A5E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_00E67598
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_00E666E5
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_00E66668
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: EnumSystemLocalesW,	0_2_00E66628
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,	0_2_00E66768
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_00E6384C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: GetLocaleInfoW,	0_2_00E6695B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00E66A83
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	0_2_00E66B30
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: _memset,_TranslateName,_TranslateName,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	0_2_00E66C04

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E508F5 GetSystemTimeAsFileTime,__aulldiv,

0_2_00E508F5

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E60779 __lock,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00E60779

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Adds / modifies Windows certificates

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46 Blob

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
209.58.131.173	online1.integrate.drivethelife.com	United States		7203	LEASEWEB-USA-SFO-12US	false

Contacted Domains

Name	IP	Active
online1.integrate.drivethelife.com	209.58.131.173	true
dispatch.integrate.drivethelife.com	209.58.131.173	true
behaviorgather.integrate.drivethelife.com	209.58.131.173	true
int.softconfig.drivethelife.com	unknown	unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

ReversingLabs: Detection: 13%

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Uses 32bit PE files

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: F:\work\dtl_dep\utility\company_lib\core\softconfig\build\abroad\Release\softconfig.pdb source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3422603402.000000006D1BD000.00000002.00000001.01000000.00000007.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, softconfig.dll.0.dr
Source:	Binary string: F:\DTL6\dtl_install\project\DTLInstaller_duilib\Release_NU\DTLInstaller_NU.pdb source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: f:\work\code\svn_108\dtl_dep\utility\company_lib\core\substat\project\Release_en\substat.pdb M source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3423045526.000000006E86D000.00000002.00000001.01000000.00000006.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.0000000004495000.00000004.00000020.00020000.00000000.sdmp, substat.dll.0.dr
Source:	Binary string: \DTInstUI\bulid\Release\DTInstUI.pdb source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3422917435.000000006D2BA000.00000002.00000001.01000000.00000005.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.0000000004169000.00000004.00000020.00020000.00000000.sdmp, DTInstUI.dll.0.dr
Source:	Binary string: D:\tunk_dtl_dep\utility\company_lib\core\pcid\build\base\Release\pcid.pdb source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, pcid.dll.0.dr
Source:	Binary string: f:\work\code\svn_108\dtl_dep\utility\company_lib\core\substat\project\Release_en\substat.pdb source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3423045526.000000006E86D000.00000002.00000001.01000000.00000006.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.0000000004495000.00000004.00000020.00020000.00000000.sdmp, substat.dll.0.dr

Checks for available system drives (often done to infect USB drives)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File opened: e:	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E2C521 FindFirstFileW,GetFullPathNameW,SetLastError,lstrlenW,_wcsrchr,_wcsrchr,

0_2_00E2C521

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E22BD5 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,_memset,PathAddBackslashW,QueryDosDeviceW,PathAddBackslashW,PathAddBackslashW,

0_2_00E22BD5

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

UDP traffic: 192.168.2.6:60599 -> 209.58.131.173:3800

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: dispatch.integrate.drivethelife.com

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: http://bbs.160.com/forum-66-1.html
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bbs.160.com/forum-66-1.html0
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.000000000097F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabjA
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.000000000097F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en0
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: http://install.integrate.drivethelife.com/common/IntegrateInstallStat.ashx
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://install.integrate.drivethelife.com/common/IntegrateInstallStat.ashx.
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: http://int.softconfig.drivethelife.com/server.ashx?type=%d
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3422603402.000000006D1BD000.00000002.00000001.01000000.00000007.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, softconfig.dll.0.dr	String found in binary or memory: http://int.softconfig.drivethelife.com/server.ashx?type=%dhttp://int.updrv.com/dtl/server.ashx?type=
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: http://int.updrv.com/common/IntegrateUnInstallStat.ashx
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: http://int.updrv.com/dtl/server.ashx?type=%d
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sf.symcb.com
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: http://sf.symcd.com0&
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: http://www.drivethelife.com/
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.drivethelife.com/D
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: http://www.drivethelife.com/EULA.html
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3422603402.000000006D1BD000.00000002.00000001.01000000.00000007.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, softconfig.dll.0.dr	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3422603402.000000006D1BD000.00000002.00000001.01000000.00000007.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, softconfig.dll.0.dr	String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: http://www.ostoto.com/licence/EULA-for-OSToto-Driver-Talent.html
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ostoto.com/licence/EULA-for-OSToto-Driver-Talent.html3
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: http://www.ostoto.com/web/install/%d/1
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ostoto.com/web/install/%d/1d?/
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: http://www.ostoto.com/web/uninstall/%d/1
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3422603402.000000006D1BD000.00000002.00000001.01000000.00000007.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, softconfig.dll.0.dr	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.sy
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, DTInstUI.dll.0.dr, pcid.dll.0.dr, substat.dll.0.dr	String found in binary or memory: https://d.symcb.com/rpa0

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E28968 ExitWindowsEx,

0_2_00E28968

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E486A0	0_2_00E486A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E24712	0_2_00E24712
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E3187C	0_2_00E3187C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E720D9	0_2_00E720D9
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E33145	0_2_00E33145
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E652E7	0_2_00E652E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E5C2C0	0_2_00E5C2C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E692AF	0_2_00E692AF
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E6E290	0_2_00E6E290
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E3320D	0_2_00E3320D
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E5E3DD	0_2_00E5E3DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E4A4D0	0_2_00E4A4D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E54496	0_2_00E54496
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E47460	0_2_00E47460
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E645A6	0_2_00E645A6
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E3F6B3	0_2_00E3F6B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E687CF	0_2_00E687CF
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E4B726	0_2_00E4B726
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E6571C	0_2_00E6571C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E408C7	0_2_00E408C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E6B8CC	0_2_00E6B8CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E7089E	0_2_00E7089E
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E2782D	0_2_00E2782D
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E51AF0	0_2_00E51AF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E64A9A	0_2_00E64A9A
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E4CA00	0_2_00E4CA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E47BE0	0_2_00E47BE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E33BDD	0_2_00E33BDD
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E46CF0	0_2_00E46CF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E48CF1	0_2_00E48CF1
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E48C50	0_2_00E48C50
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E45DC0	0_2_00E45DC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E32D86	0_2_00E32D86
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E68D3F	0_2_00E68D3F

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: String function: 00E4E0C0 appears 55 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: String function: 00E2D9AF appears 37 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: String function: 00E2E753 appears 41 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: String function: 00E56770 appears 54 times

PE file contains executable resources (Code or Archives)

Source: DTInstUI.dll.0.dr

Static PE information: Resource name: ZIP type: Zip archive data, at least v1.0 to extract, compression method=store

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.0000000004495000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesubstat.dll, vs SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3423076833.000000006E877000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamesubstat.dll, vs SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Uses 32bit PE files

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: substat.dll.0.dr	Binary string: %d IsWow64Processkernel32GetSystemFirmwareTablekernel32.dllROOT\WMIMSSMBios_RawSMBiosTablesSmbiosMajorVersionSmbiosMinorVersionSMBiosData\device\physicalmemoryntdll.dllZwOpenSectionZwMapViewOfSectionZwUnmapViewOfSectionZwCloseH
Source: pcid.dll.0.dr	Binary string: PCI{1A3E09BE-1E45-494B-9174-D7385B45BBF5}\\.\#{ad498944-762f-11d0-8dcb-00c04fc3358c}maclen[%d]CPCIDCalculator::CalculatePCID..\..\project\src\PCIDCalculator.cppcpulen[%d]bioslen[%d]GetDiskEx drive[%d] ret[%d]GetDisk drive[%d] ret[%d]disklen[%d][%d]:[%2x]GetSystemFirmwareTablekernel32.dllROOT\WMIMSSMBios_RawSMBiosTablesSmbiosMajorVersionSmbiosMinorVersionSMBiosData\device\physicalmemoryntdll.dllZwOpenSectionZwMapViewOfSectionZwUnmapViewOfSectionZwClosevector<T> too longm_cAssetTagNumber:%d

Binary or memory string: ...Slnt

Source: classification engine

Classification label: mal42.evad.winEXE@1/16@4/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E3FC89 GetLastError,FormatMessageA,

0_2_00E3FC89

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E229D4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,

0_2_00E229D4

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E27203 __EH_prolog3_catch_GS,FindWindowW,PostMessageW,CreateToolhelp32Snapshot,

0_2_00E27203

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E2C69C FindResourceW,LoadResource,

0_2_00E2C69C

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E2111A OpenSCManagerW,OpenServiceW,QueryServiceStatusEx,QueryServiceStatusEx,StartServiceW,QueryServiceStatusEx,

0_2_00E2111A

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\{A043B702-166A-4FB8-9733-E2BC4713F36F}33

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

File created: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Command line argument: DAR0	0_2_00E21F35
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Command line argument: DAR	0_2_00E21F35
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Command line argument: DAR2	0_2_00E21F35
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Command line argument: global_app_id	0_2_00E21F35
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Command line argument: InstallPath	0_2_00E21F35
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Command line argument: DTLSE_OnInstall	0_2_00E21F35
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Command line argument: ~&	0_2_00E625D0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

File read: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\English.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

ReversingLabs: Detection: 13%

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: <soft><softid>%d</softid><name>%s</name><describe>%s</describe><url>%s</url><checked>%d</checked> <installparam>%s</installpar
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: Khttp://install.integrate.drivethelife.com/common/IntegrateInstallStat.ashx
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: -start
Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	String found in binary or memory: 'http://www.ostoto.com/web/install/%d/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

File written: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\Armenian.ini

Jump to behavior

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Static file information: File size 12960432 > 1048576

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xc21e00

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: F:\work\dtl_dep\utility\company_lib\core\softconfig\build\abroad\Release\softconfig.pdb source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3422603402.000000006D1BD000.00000002.00000001.01000000.00000007.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, softconfig.dll.0.dr
Source:	Binary string: F:\DTL6\dtl_install\project\DTLInstaller_duilib\Release_NU\DTLInstaller_NU.pdb source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419320899.0000000000E21000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: f:\work\code\svn_108\dtl_dep\utility\company_lib\core\substat\project\Release_en\substat.pdb M source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3423045526.000000006E86D000.00000002.00000001.01000000.00000006.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.0000000004495000.00000004.00000020.00020000.00000000.sdmp, substat.dll.0.dr
Source:	Binary string: \DTInstUI\bulid\Release\DTInstUI.pdb source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3422917435.000000006D2BA000.00000002.00000001.01000000.00000005.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.0000000004169000.00000004.00000020.00020000.00000000.sdmp, DTInstUI.dll.0.dr
Source:	Binary string: D:\tunk_dtl_dep\utility\company_lib\core\pcid\build\base\Release\pcid.pdb source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.00000000042BE000.00000004.00000020.00020000.00000000.sdmp, pcid.dll.0.dr
Source:	Binary string: f:\work\code\svn_108\dtl_dep\utility\company_lib\core\substat\project\Release_en\substat.pdb source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3423045526.000000006E86D000.00000002.00000001.01000000.00000006.sdmp, SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000003.2162319807.0000000004495000.00000004.00000020.00020000.00000000.sdmp, substat.dll.0.dr

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_01ACE930 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_01ACE930

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E4F47C push ecx; ret	0_2_00E4F48F
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E567B5 push ecx; ret	0_2_00E567C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E58728 push edx; ret	0_2_00E58729

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File created: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\DTInstUI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File created: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\pcid.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File created: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\substat.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	File created: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\softconfig.dll	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E2111A OpenSCManagerW,OpenServiceW,QueryServiceStatusEx,QueryServiceStatusEx,StartServiceW,QueryServiceStatusEx,

0_2_00E2111A

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

0_2_00E54496

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E21094

0_2_00E21094

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	System information queried: FirmwareTableInformation			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\DTInstUI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\pcid.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\substat.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\softconfig.dll	Jump to dropped file

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

API coverage: 8.5 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E21094

0_2_00E21094

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E2C521 FindFirstFileW,GetFullPathNameW,SetLastError,lstrlenW,_wcsrchr,_wcsrchr,

0_2_00E2C521

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E22BD5 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,_memset,PathAddBackslashW,QueryDosDeviceW,PathAddBackslashW,PathAddBackslashW,

0_2_00E22BD5

Source: SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe, 00000000.00000002.3419066406.00000000008EE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E671A1 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_00E671A1

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

0_2_00E2764D

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_01ACE930 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_01ACE930

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E74433 GetProcessHeap,

0_2_00E74433

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E58BC7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00E58BC7
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: 0_2_00E58BA4 SetUnhandledExceptionFilter,		0_2_00E58BA4

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E21E30 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexW,GetLastError,FindWindowW,SwitchToThisWindow,

0_2_00E21E30

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E547A7 cpuid

0_2_00E547A7

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: GetLocaleInfoW,	0_2_00E6702D
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,	0_2_00E63248
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeW,_memmove,_memmove,_memmove,InterlockedDecrement,InterlockedDecrement,	0_2_00E6420E
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,GetLocaleInfoW,	0_2_00E663B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__calloc_crt,__invoke_watson,	0_2_00E5A5E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_00E67598
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_00E666E5
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_00E66668
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: EnumSystemLocalesW,	0_2_00E66628
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,	0_2_00E66768
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_00E6384C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: GetLocaleInfoW,	0_2_00E6695B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00E66A83
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	0_2_00E66B30
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe	Code function: _memset,_TranslateName,_TranslateName,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	0_2_00E66C04

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E508F5 GetSystemTimeAsFileTime,__aulldiv,

0_2_00E508F5

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Code function: 0_2_00E60779 __lock,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00E60779

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Adds / modifies Windows certificates

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46 Blob

Jump to behavior

ID:	1430330
Product:	CloudBasic
Start time:	14:39:14
Start date:	23.04.2024
Sample:	SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	61144b1d8168af54da7f364640019e2c
SHA1:	091838658ea6001e64291d5541508bbb7b42f77e
SHA256:	9cfe6496621b2695f95bfabfe9baab9f167a168dd633d3c9271f86d168699cdd
Filetype:	Win32 Executable (generic) a (10002005/4) 99.66%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\DTInstUI.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	301BC53BE97D7F122FBD2CCFF6D196B8	FCCAB579B8CF0A723FE917C0C1DF67194DE6B977	9576B6749E538B2E8FC1A8BBDD8CF5135F31C5BF9F297DE6CE35602E0D8C013F
C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\Armenian.ini	Unicode text, UTF-16, little-endian text, with CRLF line terminators	477E56882AF75A082F45CFB4E67BC834	575D1FA531BFD3A04BBB67805791C8CF2DF5503E	DC8216486E3007C03E2E43964983401DF699D9E86398974BB79470CCC5F0FF5C
C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\Bulgarian.ini	Unicode text, UTF-16, little-endian text, with CRLF line terminators	B1105D3C95E6E4377F22636424DADE56	AD991766A038C61ACC58351AFC6A8C53EC06C375	84FA2843F6F6900DE29FAFD9B2B8C76016720E494350F52F002E5DB6B5358966
C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\English.ini	Unicode text, UTF-16, little-endian text, with CRLF line terminators	C218CB809230BB3C74AD64A247B4D9EE	CA1E77DA0926B7BF6C47971BBDA1947A03E009E1	00F77A864DB64DB06A2FC71E6CB979D6D20477E181906A13D531A272BBC9B1F9
C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\French.ini	Unicode text, UTF-16, little-endian text, with CRLF line terminators	DADC5BBC0A65A7DF49D77EDC793C75BA	C20B28B9AC761640C9E60B1BD5F12C5BBB297FCB	59EDA82F15B828FFF349F28C1BE769B36F7872317AF4BBE94C2793A009FBEF5B
C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\German.ini	Unicode text, UTF-16, little-endian text, with CRLF line terminators	4744678D11BE01D0CD1B335DA1828FFB	CAB4B8B174D2514E64D2AEA8B13A3B27EB69B11F	B582D72220E4432B32A587B0186192ACE366377DE7B4AE9D7590DABEC137061C
C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\Greek.ini	Unicode text, UTF-16, little-endian text, with CRLF line terminators	CFD3F871C1DF18233522A2045D80A139	CC4DB1A2221717E88187F755EF8D0674A9A9494F	9CF117A5B422250A3E44E3561708612A2A5762BF2AA515C7CFCB7609418D451B
C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\Japanese.ini	Unicode text, UTF-16, little-endian text, with CRLF line terminators	725D679274128A159D8E9A822837BD80	3B1D7A7EDF78B03702F4C50C69D05AA0001F321C	480699028A553C761126B6527DE9AE228055A24D9398ACF88D2BABD5FF75A85A
C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\Polish.ini	Unicode text, UTF-16, little-endian text, with CRLF line terminators	D3A6D66B591B77EF3803F19BFE43357F	52B0A3650B1686791572DBCA8A15E462A18D516B	8B4B06E23058560D9F93E370C63D99AF6ABAD7ED5FE905282D304E7A2B4DA899
C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\Portuguese.ini	Unicode text, UTF-16, little-endian text, with CRLF line terminators	148F7CD8F300A45128677375760EB2E2	F2DD4388B3076A3AEC9E037DB482BCCE35288669	A935DDAEC2F4DECD46E63D6BE75929C1663D7CD8352A8C8273BBA753755889B2
C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\Russian.ini	Unicode text, UTF-16, little-endian text, with CRLF line terminators	850DCB75CA9AD9E82262809BEB776993	E05F86ACF326925529D6577AB12E35B19F46D613	84BEFF254365E394B92EB5EA686BB98ED8DB240281F2D16AAA30F4F2AA247B37
C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\Spanish.ini	Unicode text, UTF-16, little-endian text, with CRLF line terminators	5AA1FE95F88A79A5D2181855A9228033	00B254E1DA56BC54D3D68475AC987292E9B43703	850017B3DB86BD86DED1F1170E893F2EC18F45EF0D54325F0A1B2FF665DF3B2A
C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\instlan\Turkish.ini	Unicode text, UTF-16, little-endian text, with CRLF line terminators	8809690693704F3BFAA513F2D9784CBF	6029E5AF271495CDFB3103F8AD84083A6DF508AA	EA3D87F15E6D7A7B08F3E37F754F40CEDE2E41F8C146B67476ABA1534D97E648
C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\pcid.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	25B1811C74D68C23E13727C0CD71DABD	1F309CE705766382DCC196B9E4D67E6A4ABABC1F	873D35358170C308C98BE5215CE5B255B788D3FEFFF5AE82B86AF59279DE1677
C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\softconfig.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	8CBD024FA59F52272C6B7E2EFBD3507A	C7A4C35642A1B91D093CFB3D9900F7EC84DB352C	FF9FD95D6F98CFFC6D2C296320501BEC0DA9748BDFB59D3C28C5FA055341B893
C:\Users\user\AppData\Local\Temp\Hot96EC.tmp\substat.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	BE8B79788E7E42CB2B90D775EC97A094	8C605A7E70BD01C8F516C00BA001F44E69958E7D	D5D48D7BA1204C057455195D9388FA3CF86AE896C7ABA3457653329DB7B56BCD

Windows Analysis Report
SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
SecuriteInfo.com.W32.DriverTalent.A.gen.Eldorado.3883.7584.exe