Windows Analysis Report
SecuriteInfo.com.FileRepMalware.6681.9154.exe

Overview

General Information

Sample name: SecuriteInfo.com.FileRepMalware.6681.9154.exe
Analysis ID: 1436479
MD5: 328c956c47ee50d02e59606f7ec2da63
SHA1: cd295fdab4917d886f2ea2a9b6087eda39325e0c
SHA256: ebeb532c17f6d9fc3d5c49c98f2f96e4a45a870aad37e5be4e001115d26b6ac4
Tags: exe
Infos:

Detection

Score: 28
Range: 0 - 100
Whitelisted: false
Confidence: 0%

Signatures

Multi AV Scanner detection for dropped file
Contains functionality to register a low level keyboard hook
Sample or dropped binary is a compiled AutoHotkey binary
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
OS version to string mapping found (often used in BOTs)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe (copy) Virustotal: Detection: 23% Perma Link
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\is-D2QRV.tmp Virustotal: Detection: 23% Perma Link
Source: https://ogs.google.com/widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en HTTP Parser: No favicon
Uses 32bit PE files
Source: SecuriteInfo.com.FileRepMalware.6681.9154.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.GNU GENERAL PUBLIC LICENSEVersion 3 29 June 2007Copyright 2007 Free Software Foundation Inc. <https://fsf.org/>Everyone is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed.PreambleThe GNU General Public License is a free copyleft license for software and other kinds of works.The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast the GNU General Public License is intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users. We the Free Software Foundation use the GNU General Public License for most of our software; it applies also to any other work released this way by its authors. You can apply it to your programs too.When we speak of free software we are referring to freedom not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish) that you receive source code or can get it if you want it that you can change the software or use pieces of it in new free programs and that you know you can do these things.To protect your rights we need to prevent others from denying you these rights or asking you to surrender the rights. Therefore you have certain responsibilities if you distribute copies of the software or if you modify it: responsibilities to respect the freedom of others.For example if you distribute copies of such a program whether gratis or for a fee you must pass on to the recipients the same freedoms that you received. You must make sure that they too receive or can get the source code. And you must show them these terms so they know their rights.Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software and (2) offer you this License giving you legal permission to copy distribute and/or modify it.For the developers' and authors' protection the GPL clearly explains that there is no warranty for this free software. For both users' and authors' sake the GPL requires that modified versions be marked as changed so that their problems will not be attributed erroneously to authors of previous versions.Some devices are designed to deny users access to install or run modified versions of the software inside them although the manufacturer can do so. This is fundamentally incompatible with the aim of protecting users' freedom to change the software. The systematic pattern of such abuse occurs in the area of products for individuals to use which is precisely where it is most unacceptable. Therefore we have designed this version of the GPL to prohibit the practice for those products
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.GNU GENERAL PUBLIC LICENSEVersion 3 29 June 2007Copyright 2007 Free Software Foundation Inc. <https://fsf.org/>Everyone is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed.PreambleThe GNU General Public License is a free copyleft license for software and other kinds of works.The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast the GNU General Public License is intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users. We the Free Software Foundation use the GNU General Public License for most of our software; it applies also to any other work released this way by its authors. You can apply it to your programs too.When we speak of free software we are referring to freedom not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish) that you receive source code or can get it if you want it that you can change the software or use pieces of it in new free programs and that you know you can do these things.To protect your rights we need to prevent others from denying you these rights or asking you to surrender the rights. Therefore you have certain responsibilities if you distribute copies of the software or if you modify it: responsibilities to respect the freedom of others.For example if you distribute copies of such a program whether gratis or for a fee you must pass on to the recipients the same freedoms that you received. You must make sure that they too receive or can get the source code. And you must show them these terms so they know their rights.Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software and (2) offer you this License giving you legal permission to copy distribute and/or modify it.For the developers' and authors' protection the GPL clearly explains that there is no warranty for this free software. For both users' and authors' sake the GPL requires that modified versions be marked as changed so that their problems will not be attributed erroneously to authors of previous versions.Some devices are designed to deny users access to install or run modified versions of the software inside them although the manufacturer can do so. This is fundamentally incompatible with the aim of protecting users' freedom to change the software. The systematic pattern of such abuse occurs in the area of products for individuals to use which is precisely where it is most unacceptable. Therefore we have designed this version of the GPL to prohibit the practice for those products
Source: unknown HTTPS traffic detected: 23.33.180.114:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.33.180.114:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: SecuriteInfo.com.FileRepMalware.6681.9154.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00477AC0 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose, 13_2_00477AC0
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00456150 GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,_wcsrchr,_wcsrchr,_wcsncpy,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,FindNextFileW,FindClose, 13_2_00456150
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_004733E0 FindFirstFileW,FindClose,GetFileAttributesW,CreateFileW,WriteFile,WriteFile,WriteFile,CloseHandle, 13_2_004733E0
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00444390 FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,GetLastError,FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__swprintf,FindNextFileW,FindClose, 13_2_00444390
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_004554D0 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,CoCreateInstance,CoUninitialize, 13_2_004554D0
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_0042E5D0 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,__wcstoi64,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose, 13_2_0042E5D0
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00444690 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime, 13_2_00444690
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_004449D0 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 13_2_004449D0
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00477A30 FindFirstFileW,FindClose,GetFileAttributesW, 13_2_00477A30
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.180.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.180.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.180.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.180.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.180.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.180.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.180.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.180.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.180.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.180.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.180.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.180.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.180.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.180.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.180.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.180.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.180.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.180.114
Source: unknown TCP traffic detected without corresponding DNS query: 23.33.180.114
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00454E40 __wcstoi64,InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetReadFile,InternetReadFile,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,InternetReadFile,InternetReadFileExA,InternetReadFileExA,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,InternetReadFileExA,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,DeleteFileW, 13_2_00454E40
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=3OEcbSRnMKOeR77&MD=5lAYsDmF HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=3OEcbSRnMKOeR77&MD=5lAYsDmF HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en HTTP/1.1Host: ogs.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: SecuriteInfo.com.FileRepMalware.6681.9154.tmp, 00000001.00000003.2150730649.00000000057C1000.00000004.00001000.00020000.00000000.sdmp, is-7J2DR.tmp.1.dr String found in binary or memory: https://www.facebook.com/groups/1246418025757303/ equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.FileRepMalware.6681.9154.tmp, 00000001.00000003.2150730649.00000000057C1000.00000004.00001000.00020000.00000000.sdmp, is-7J2DR.tmp.1.dr String found in binary or memory: https://www.facebook.com/groups/172781931480902/ equals www.facebook.com (Facebook)
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: apis.google.com
Source: global traffic DNS traffic detected: DNS query: ogs.google.com
Source: SecuriteInfo.com.FileRepMalware.6681.9154.exe, 00000000.00000003.1601306389.0000000002570000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6681.9154.exe, 00000000.00000003.2161987012.00000000021F4000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6681.9154.tmp, 00000001.00000003.2157672724.00000000038C1000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6681.9154.tmp, 00000001.00000003.1606148093.00000000035B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.dk-soft.org/
Source: SecuriteInfo.com.FileRepMalware.6681.9154.exe, 00000000.00000003.1601306389.0000000002570000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6681.9154.exe, 00000000.00000003.2161987012.00000000021F4000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6681.9154.tmp, 00000001.00000003.2158504667.0000000002440000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6681.9154.tmp, 00000001.00000003.1606148093.00000000035B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.haysoft.org%1-k
Source: chromecache_95.4.dr String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_95.4.dr String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: chromecache_95.4.dr String found in binary or memory: https://apis.google.com
Source: chromecache_86.4.dr String found in binary or memory: https://apis.google.com/js/api.js
Source: ESET key finder.exe, ESET key finder.exe, 0000000D.00000000.2149173747.00000000004A2000.00000002.00000001.01000000.0000000B.sdmp, ESET key finder.exe, 0000000D.00000002.2870851261.00000000004A2000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: https://autohotkey.com
Source: SecuriteInfo.com.FileRepMalware.6681.9154.tmp, 00000001.00000003.2150730649.000000000578E000.00000004.00001000.00020000.00000000.sdmp, ESET key finder.exe, 0000000D.00000000.2149173747.00000000004A2000.00000002.00000001.01000000.0000000B.sdmp, ESET key finder.exe, 0000000D.00000002.2870851261.00000000004A2000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: https://autohotkey.comCould
Source: chromecache_95.4.dr String found in binary or memory: https://clients6.google.com
Source: chromecache_95.4.dr String found in binary or memory: https://content.googleapis.com
Source: chromecache_95.4.dr String found in binary or memory: https://csp.withgoogle.com/csp/lcreport/
Source: chromecache_95.4.dr String found in binary or memory: https://domains.google.com/suggest/flow
Source: SecuriteInfo.com.FileRepMalware.6681.9154.exe, 00000000.00000003.1601306389.0000000002570000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6681.9154.exe, 00000000.00000003.2161987012.00000000022A2000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6681.9154.tmp, 00000001.00000003.2158504667.0000000002440000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6681.9154.tmp, 00000001.00000003.1606148093.00000000035B0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6681.9154.tmp, 00000001.00000003.2157003927.000000000087B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6681.9154.tmp, 00000001.00000003.2159525943.0000000000850000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6681.9154.tmp, 00000001.00000003.2157672724.00000000037D6000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://fsf.org/
Source: SecuriteInfo.com.FileRepMalware.6681.9154.tmp, 00000001.00000003.2158504667.00000000024ED000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6681.9154.tmp, 00000001.00000003.2150730649.00000000057C1000.00000004.00001000.00020000.00000000.sdmp, ESET key finder.exe, 0000000D.00000000.2149224142.00000000004CF000.00000002.00000001.01000000.0000000B.sdmp, ESET key finder.exe, 0000000D.00000002.2871596030.0000000002B90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Sperhak323/ESET-key-finder
Source: ESET key finder.exe, 0000000D.00000002.2871596030.0000000002B90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Sperhak323/ESET-key-finder5.30x4BA6D30xFF00000xE042390xF5F6F80xDFEAF00x3030300x29
Source: SecuriteInfo.com.FileRepMalware.6681.9154.exe, 00000000.00000003.2161987012.00000000022A2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/Sperhak323/ESET-key-finderQ
Source: SecuriteInfo.com.FileRepMalware.6681.9154.exe, 00000000.00000003.1601306389.0000000002570000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6681.9154.tmp, 00000001.00000003.1606148093.00000000035B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/Sperhak323/ESET-key-finderZhttps://github.com/Sperhak323/ESET-key-finderZhttps://
Source: SecuriteInfo.com.FileRepMalware.6681.9154.tmp, 00000001.00000003.2158504667.00000000024ED000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/Sperhak323/ESET-key-findera
Source: SecuriteInfo.com.FileRepMalware.6681.9154.exe String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: chromecache_96.4.dr String found in binary or memory: https://ogs.google.com/
Source: chromecache_96.4.dr String found in binary or memory: https://ogs.google.com/widget/app/so
Source: chromecache_95.4.dr String found in binary or memory: https://plus.google.com
Source: chromecache_95.4.dr String found in binary or memory: https://plus.googleapis.com
Source: chromecache_96.4.dr String found in binary or memory: https://ssl.gstatic.com
Source: SecuriteInfo.com.FileRepMalware.6681.9154.tmp, 00000001.00000003.2150730649.00000000057C1000.00000004.00001000.00020000.00000000.sdmp, is-7J2DR.tmp.1.dr String found in binary or memory: https://t.me/s/LicenseForAll
Source: SecuriteInfo.com.FileRepMalware.6681.9154.tmp, 00000001.00000003.2150730649.00000000057C1000.00000004.00001000.00020000.00000000.sdmp, is-7J2DR.tmp.1.dr String found in binary or memory: https://t.me/s/esetnod32freekey
Source: SecuriteInfo.com.FileRepMalware.6681.9154.tmp, 00000001.00000003.2150730649.00000000057C1000.00000004.00001000.00020000.00000000.sdmp, is-7J2DR.tmp.1.dr String found in binary or memory: https://telegram.me/s/nod323
Source: chromecache_86.4.dr String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_95.4.dr String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: SecuriteInfo.com.FileRepMalware.6681.9154.tmp, 00000001.00000003.2157672724.00000000037D6000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.gnu.org/licenses/
Source: chromecache_86.4.dr String found in binary or memory: https://www.google.com/log?format=json&hasfast=true
Source: chromecache_95.4.dr String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_95.4.dr String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chromecache_96.4.dr String found in binary or memory: https://www.gstatic.com
Source: chromecache_96.4.dr String found in binary or memory: https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.atEDuNh539g.
Source: SecuriteInfo.com.FileRepMalware.6681.9154.exe, 00000000.00000003.1602314129.00000000026B0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6681.9154.exe, 00000000.00000003.1602694247.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6681.9154.tmp, 00000001.00000000.1603972487.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-THR5T.tmp.1.dr String found in binary or memory: https://www.innosetup.com/
Source: SecuriteInfo.com.FileRepMalware.6681.9154.exe, 00000000.00000003.1602314129.00000000026B0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6681.9154.exe, 00000000.00000003.1602694247.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.6681.9154.tmp, 00000001.00000000.1603972487.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-THR5T.tmp.1.dr String found in binary or memory: https://www.remobjects.com/ps
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown HTTPS traffic detected: 23.33.180.114:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.33.180.114:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.4:49754 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00409720 SetWindowsHookExW 0000000D,Function_00004D60,00400000,00000000 13_2_00409720
Contains functionality for read data from the clipboard
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00404AB0 GetTickCount,GetTickCount,OpenClipboard,OpenClipboard,GetTickCount,OpenClipboard, 13_2_00404AB0
Contains functionality to modify clipboard data
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_004047E0 EmptyClipboard,GlobalUnlock,CloseClipboard,GlobalUnlock,GlobalUnlock,GlobalFree,GlobalUnlock,CloseClipboard,SetClipboardData,GlobalUnlock,CloseClipboard, 13_2_004047E0
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00479C40 EmptyClipboard,GlobalUnlock,CloseClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,GlobalFree,GlobalUnlock,CloseClipboard, 13_2_00479C40
Contains functionality to read the clipboard data
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_004049B0 GetClipboardFormatNameW,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,GetClipboardData, 13_2_004049B0
Contains functionality to record screenshots
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_0043B460 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,_wcsrchr,__wcsicoll,__wcsicoll,__wcsicoll,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,__wcsnicmp,__fassign,__wcsnicmp,_wcsncpy,__fassign,__fassign,__fassign,__fassign,GetDC,DestroyIcon,DeleteObject,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,_free,_free,_free, 13_2_0043B460
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_004110A0 GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState, 13_2_004110A0
Potential key logger detected (key state polling based)
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00401454 GlobalUnlock,CloseClipboard,SetTimer,GetTickCount,GetTickCount,KiUserCallbackDispatcher,GetTickCount,GetFocus,TranslateAcceleratorW,GetKeyState,GetWindowLongW,IsWindowEnabled,GetKeyState,GetKeyState,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,IsDialogMessageW,ShowWindow,GetForegroundWindow,GetWindowThreadProcessId,GetClassNameW,KillTimer,DragQueryFileW,DragFinish,GetTickCount,DragFinish,DragFinish,_wcsncpy,_wcsncpy,GetTickCount,_wcsncpy,GetTickCount,IsDialogMessageW,SetCurrentDirectoryW,TranslateAcceleratorW,TranslateMessage,DispatchMessageW, 13_2_00401454
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00413210 GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetKeyState, 13_2_00413210
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_0040F960 __wcsnicmp,__wcsnicmp,GetWindowThreadProcessId,AttachThreadInput,GetKeyboardLayout,GetTickCount,GetCurrentThreadId,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,GetTickCount,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,__wcsnicmp,_wcschr,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsicoll,PostMessageW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__wcsnicmp,__wcsnicmp,__fassign,PostMessageW,PostMessageW,PostMessageW,__itow,PostMessageW,_free,GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetForegroundWindow,GetWindowThreadProcessId, 13_2_0040F960
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_0040FD96 GetTickCount,GetTickCount,PeekMessageW,GetTickCount,_wcschr,_wcschr,__wcsnicmp,_free,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput, 13_2_0040FD96

System Summary
barindex
Sample or dropped binary is a compiled AutoHotkey binary
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Window found: window name: AutoHotkey Jump to behavior
Contains functionality to communicate with device drivers
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00440C10: __swprintf,CreateFileW,DeviceIoControl,CloseHandle, 13_2_00440C10
Contains functionality to shutdown / reboot the system
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_004566C0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 13_2_004566C0
Detected potential crypto function
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00401454 13_2_00401454
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00460760 13_2_00460760
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_004850B0 13_2_004850B0
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_0049A10F 13_2_0049A10F
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00497125 13_2_00497125
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_004331B0 13_2_004331B0
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00408310 13_2_00408310
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00476500 13_2_00476500
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_004085E0 13_2_004085E0
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_0040C5A0 13_2_0040C5A0
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_004485B0 13_2_004485B0
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_0042F660 13_2_0042F660
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_0049A660 13_2_0049A660
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_004207F0 13_2_004207F0
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_0049B7AC 13_2_0049B7AC
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_0040F960 13_2_0040F960
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_0049D911 13_2_0049D911
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_0041C9E0 13_2_0041C9E0
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00418980 13_2_00418980
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_0047F9A0 13_2_0047F9A0
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_0040CBD0 13_2_0040CBD0
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_0043AC50 13_2_0043AC50
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00492CD2 13_2_00492CD2
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_0048ED40 13_2_0048ED40
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00401E64 13_2_00401E64
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_0040DE80 13_2_0040DE80
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_0043DF70 13_2_0043DF70
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00414F01 13_2_00414F01
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00414F00 13_2_00414F00
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_0049DFED 13_2_0049DFED
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: String function: 00430A40 appears 80 times
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: String function: 004908AD appears 54 times
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: String function: 00476D50 appears 45 times
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: String function: 0049B990 appears 44 times
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: String function: 00430CF0 appears 268 times
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: String function: 004906A9 appears 350 times
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: String function: 00476CB0 appears 62 times
PE file contains executable resources (Code or Archives)
Source: SecuriteInfo.com.FileRepMalware.6681.9154.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-THR5T.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.FileRepMalware.6681.9154.exe, 00000000.00000003.1602694247.000000007FE35000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs SecuriteInfo.com.FileRepMalware.6681.9154.exe
Source: SecuriteInfo.com.FileRepMalware.6681.9154.exe, 00000000.00000003.2161987012.00000000022D8000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs SecuriteInfo.com.FileRepMalware.6681.9154.exe
Source: SecuriteInfo.com.FileRepMalware.6681.9154.exe, 00000000.00000003.1602314129.0000000002799000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs SecuriteInfo.com.FileRepMalware.6681.9154.exe
Source: SecuriteInfo.com.FileRepMalware.6681.9154.exe, 00000000.00000000.1600655028.00000000004C6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName vs SecuriteInfo.com.FileRepMalware.6681.9154.exe
Source: SecuriteInfo.com.FileRepMalware.6681.9154.exe Binary or memory string: OriginalFileName vs SecuriteInfo.com.FileRepMalware.6681.9154.exe
Uses 32bit PE files
Source: SecuriteInfo.com.FileRepMalware.6681.9154.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engine Classification label: sus28.spyw.evad.winEXE@23/54@6/5
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00431A00 __wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,_memset,__swprintf,CreateProcessW,CloseHandle,CloseHandle,GetLastError,_memset,__wcsicoll,_wcschr,SetCurrentDirectoryW,_wcschr,_wcschr,GetFileAttributesW,_wcschr,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetLastError,FormatMessageW, 13_2_00431A00
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_004566C0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 13_2_004566C0
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_004408B0 _wcsncpy,GetDiskFreeSpaceExW, 13_2_004408B0
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_004568D0 CreateToolhelp32Snapshot,Process32FirstW,__wcstoi64,Process32NextW,__wsplitpath,__wcsicoll,Process32NextW,CloseHandle,CloseHandle,CloseHandle, 13_2_004568D0
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_004554D0 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,CoCreateInstance,CoUninitialize, 13_2_004554D0
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00478BC0 SystemParametersInfoW,LoadLibraryExW,EnumResourceNamesW,FindResourceW,LoadResource,LockResource,GetSystemMetrics,FindResourceW,LoadResource,LockResource,SizeofResource,CreateIconFromResourceEx,FreeLibrary,ExtractIconW,ExtractIconW, 13_2_00478BC0
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp File created: C:\Program Files (x86)\Sperhak Industries Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp File created: C:\Users\user\AppData\Local\Programs Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6681.9154.exe File created: C:\Users\user\AppData\Local\Temp\is-K223H.tmp Jump to behavior
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Command line argument: `OI 13_2_00494EB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6681.9154.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6681.9154.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp File read: C:\Program Files (x86)\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6681.9154.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: SecuriteInfo.com.FileRepMalware.6681.9154.exe String found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6681.9154.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6681.9154.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6681.9154.exe "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6681.9154.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6681.9154.exe Process created: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp "C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp" /SL5="$2045E,6188866,801280,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6681.9154.exe"
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://%3cfnc1%3e(%08)192207080962112986271363245700090061668218406782359533476819003707/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2556 --field-trial-handle=2520,i,879092211089403127,1941375681759626372,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Process created: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe "C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6681.9154.exe Process created: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp "C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp" /SL5="$2045E,6188866,801280,C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6681.9154.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Process created: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe "C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2556 --field-trial-handle=2520,i,879092211089403127,1941375681759626372,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6681.9154.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6681.9154.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6681.9154.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6681.9154.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6681.9154.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: msftedit.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: globinputhost.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: windows.ui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: inputhost.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: ESET key finder.lnk.1.dr LNK file: ..\..\..\..\..\..\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe
Source: ESET key finder.lnk0.1.dr LNK file: ..\..\..\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Window found: window name: TSelectLanguageForm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.GNU GENERAL PUBLIC LICENSEVersion 3 29 June 2007Copyright 2007 Free Software Foundation Inc. <https://fsf.org/>Everyone is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed.PreambleThe GNU General Public License is a free copyleft license for software and other kinds of works.The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast the GNU General Public License is intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users. We the Free Software Foundation use the GNU General Public License for most of our software; it applies also to any other work released this way by its authors. You can apply it to your programs too.When we speak of free software we are referring to freedom not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish) that you receive source code or can get it if you want it that you can change the software or use pieces of it in new free programs and that you know you can do these things.To protect your rights we need to prevent others from denying you these rights or asking you to surrender the rights. Therefore you have certain responsibilities if you distribute copies of the software or if you modify it: responsibilities to respect the freedom of others.For example if you distribute copies of such a program whether gratis or for a fee you must pass on to the recipients the same freedoms that you received. You must make sure that they too receive or can get the source code. And you must show them these terms so they know their rights.Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software and (2) offer you this License giving you legal permission to copy distribute and/or modify it.For the developers' and authors' protection the GPL clearly explains that there is no warranty for this free software. For both users' and authors' sake the GPL requires that modified versions be marked as changed so that their problems will not be attributed erroneously to authors of previous versions.Some devices are designed to deny users access to install or run modified versions of the software inside them although the manufacturer can do so. This is fundamentally incompatible with the aim of protecting users' freedom to change the software. The systematic pattern of such abuse occurs in the area of products for individuals to use which is precisely where it is most unacceptable. Therefore we have designed this version of the GPL to prohibit the practice for those products
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.GNU GENERAL PUBLIC LICENSEVersion 3 29 June 2007Copyright 2007 Free Software Foundation Inc. <https://fsf.org/>Everyone is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed.PreambleThe GNU General Public License is a free copyleft license for software and other kinds of works.The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast the GNU General Public License is intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users. We the Free Software Foundation use the GNU General Public License for most of our software; it applies also to any other work released this way by its authors. You can apply it to your programs too.When we speak of free software we are referring to freedom not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish) that you receive source code or can get it if you want it that you can change the software or use pieces of it in new free programs and that you know you can do these things.To protect your rights we need to prevent others from denying you these rights or asking you to surrender the rights. Therefore you have certain responsibilities if you distribute copies of the software or if you modify it: responsibilities to respect the freedom of others.For example if you distribute copies of such a program whether gratis or for a fee you must pass on to the recipients the same freedoms that you received. You must make sure that they too receive or can get the source code. And you must show them these terms so they know their rights.Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software and (2) offer you this License giving you legal permission to copy distribute and/or modify it.For the developers' and authors' protection the GPL clearly explains that there is no warranty for this free software. For both users' and authors' sake the GPL requires that modified versions be marked as changed so that their problems will not be attributed erroneously to authors of previous versions.Some devices are designed to deny users access to install or run modified versions of the software inside them although the manufacturer can do so. This is fundamentally incompatible with the aim of protecting users' freedom to change the software. The systematic pattern of such abuse occurs in the area of products for individuals to use which is precisely where it is most unacceptable. Therefore we have designed this version of the GPL to prohibit the practice for those products
Source: SecuriteInfo.com.FileRepMalware.6681.9154.exe Static file information: File size 7147009 > 1048576
Source: SecuriteInfo.com.FileRepMalware.6681.9154.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00478430 __wcsnicmp,__wcsnicmp,__wcstoi64,_wcsrchr,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,LoadLibraryW,LoadLibraryW,LoadImageW,GetFileAttributesW,__wcsicoll,__wcsicoll,__wcsicoll,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,DeleteObject,GetIconInfo,GetObjectW,CreateFileW,GetFileSize,GlobalAlloc,CloseHandle,GlobalLock,CloseHandle,GlobalFree,ReadFile,GlobalUnlock,CloseHandle,CreateStreamOnHGlobal,OleLoadPicture,GlobalFree,DeleteObject,DeleteObject,DestroyIcon,LoadImageW,DestroyIcon,CopyImage,CopyImage,CreateIconIndirect,DeleteObject, 13_2_00478430
PE file contains sections with non-standard names
Source: SecuriteInfo.com.FileRepMalware.6681.9154.exe Static PE information: section name: .didata
Source: SecuriteInfo.com.FileRepMalware.6681.9154.tmp.0.dr Static PE information: section name: .didata
Source: is-THR5T.tmp.1.dr Static PE information: section name: .didata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00495005 push ecx; ret 13_2_00495018
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_0046FB08 push esi; ret 13_2_0046FB0A
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp File created: C:\Program Files (x86)\Sperhak Industries\ESET key finder\is-THR5T.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp File created: C:\Program Files (x86)\Sperhak Industries\ESET key finder\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6681.9154.exe File created: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp File created: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp File created: C:\Program Files (x86)\Sperhak Industries\ESET key finder\is-D2QRV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp File created: C:\Users\user\AppData\Local\Temp\is-DKQTO.tmp\_isetup\_setup64.tmp Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET key finder Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET key finder\ESET key finder.lnk Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00460760 MulDiv,MulDiv,MulDiv,_wcschr,__wcsicoll,MulDiv,MulDiv,MulDiv,ReadConsoleOutputAttribute,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,_wcschr,DrawTextW,DrawTextW,GetCharABCWidthsW,MulDiv,GetSystemMetrics,GetSystemMetrics,MulDiv,MulDiv,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,GetWindowLongW,GetPropW,MapWindowPoints,GetWindowLongW,SendMessageW,CreateWindowExW,CreateWindowExW,CreateWindowExW,CreateWindowExW,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,CreateWindowExW,SendMessageW,CreateWindowExW,SendMessageW,SendMessageW,MulDiv,MulDiv,MulDiv,MoveWindow,SelectObject,ReleaseDC,SendMessageW,SendMessageW,GetClientRect,SetWindowLongW,SendMessageW,SetWindowLongW,MoveWindow,GetWindowRect,SendMessageW,SetWindowPos,GetWindowRect,MapWindowPoints,InvalidateRect,SetWindowPos,SetWindowPos,MapWindowPoints, 13_2_00460760
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00466D30 SetWindowTextW,IsZoomed,IsIconic,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus, 13_2_00466D30
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00466D30 SetWindowTextW,IsZoomed,IsIconic,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,__wcsnicmp,MulDiv,MulDiv,ShowWindow,IsIconic,GetParent,GetWindowLongW,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowRect,GetWindowLongW,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,MoveWindow,GetForegroundWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,GetAncestor,GetForegroundWindow,GetFocus,GetDlgCtrlID,GetDlgCtrlID,GetParent,GetDlgCtrlID,UpdateWindow,GetDlgCtrlID,SetFocus, 13_2_00466D30
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_004780B0 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen, 13_2_004780B0
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00478110 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen, 13_2_00478110
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_0043B460 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,_wcsrchr,__wcsicoll,__wcsicoll,__wcsicoll,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,__wcsnicmp,__fassign,__wcsnicmp,_wcsncpy,__fassign,__fassign,__fassign,__fassign,GetDC,DestroyIcon,DeleteObject,DeleteObject,GetIconInfo,DeleteObject,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,_free,_free,_free, 13_2_0043B460
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00453650 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,CreateDCW,GetDC,GetPixel,DeleteDC,ReleaseDC,__swprintf, 13_2_00453650
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00439960 GetForegroundWindow,IsWindowVisible,GetWindowThreadProcessId,IsZoomed,IsIconic,GetWindowLongW,__swprintf,GetModuleHandleW,GetProcAddress,__swprintf, 13_2_00439960
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00463A00 GetWindowLongW,GetWindowLongW,GetWindowLongW,__wcsnicmp,__wcsnicmp,__wcsicoll,SetWindowPos,__wcsicoll,__wcsicoll,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,EnableWindow,__wcsnicmp,__wcsnicmp,__wcsicoll,__wcsicoll,__wcsicoll,__wcsnicmp,MulDiv,MulDiv,__wcsnicmp,MulDiv,MulDiv,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcstoi64,IsWindow,SetParent,SetWindowLongW,SetParent,IsWindowVisible,IsIconic,SetWindowLongW,SetWindowLongW,SetWindowPos,InvalidateRect, 13_2_00463A00
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_0047AAB0 GetForegroundWindow,IsWindowVisible,IsIconic,ShowWindow, 13_2_0047AAB0
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_0047ABE0 GetWindowThreadProcessId,GetWindowThreadProcessId,GetForegroundWindow,IsIconic,ShowWindow,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,SetForegroundWindow,SetForegroundWindow,GetForegroundWindow,GetWindow,AttachThreadInput,AttachThreadInput,BringWindowToTop, 13_2_0047ABE0
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_0043DBA0 GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,WindowFromPoint,EnumChildWindows,_memset,EnumChildWindows,GetClassNameW,EnumChildWindows, 13_2_0043DBA0
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_0046ABB0 SendMessageW,SendMessageW,SendMessageW,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,GetPropW,ShowWindow,GetUpdateRect,SendMessageW,GetWindowLongW,ShowWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,PtInRect,SetFocus,SendMessageW,SendMessageW,ShowWindow,SetFocus,InvalidateRect,InvalidateRect,InvalidateRect,MapWindowPoints,InvalidateRect, 13_2_0046ABB0
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_0043AC50 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,__swprintf,ReleaseDC,SelectObject,DeleteDC,DeleteObject,_free,GetPixel,ReleaseDC, 13_2_0043AC50
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_0043CD10 SendMessageW,SendMessageW,SendMessageW,IsWindowVisible,ShowWindow,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,SendMessageW, 13_2_0043CD10
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.6681.9154.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Window / User API: foregroundWindowGot 529 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Sperhak Industries\ESET key finder\is-THR5T.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Sperhak Industries\ESET key finder\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DKQTO.tmp\_isetup\_setup64.tmp Jump to dropped file
Found evasive API chain (date check)
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe API coverage: 3.2 %
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_004071C0 GetKeyboardLayout followed by cmp: cmp dword ptr [004cd1ach], edi and CTI: je 00407394h 13_2_004071C0
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00414290 GetKeyboardLayout followed by cmp: cmp al, 19h and CTI: ja 0041437Fh country: Russian (ru) 13_2_00414290
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00477AC0 _wcschr,_wcschr,_wcschr,FindFirstFileW,FindClose,_wcschr,FindFirstFileW,FindClose, 13_2_00477AC0
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00456150 GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,_wcsrchr,_wcsrchr,_wcsncpy,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,GetLastError,CopyFileW,GetLastError,FindNextFileW,FindClose, 13_2_00456150
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_004733E0 FindFirstFileW,FindClose,GetFileAttributesW,CreateFileW,WriteFile,WriteFile,WriteFile,CloseHandle, 13_2_004733E0
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00444390 FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,GetLastError,FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,__swprintf,FindNextFileW,FindClose, 13_2_00444390
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_004554D0 _wcschr,_wcschr,GetFileAttributesW,FindFirstFileW,FindClose,CoInitialize,CoCreateInstance,CoUninitialize, 13_2_004554D0
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_0042E5D0 FindFirstFileW,FindNextFileW,FindClose,GetTickCount,__wcstoi64,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose, 13_2_0042E5D0
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00444690 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime, 13_2_00444690
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_004449D0 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 13_2_004449D0
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00477A30 FindFirstFileW,FindClose,GetFileAttributesW, 13_2_00477A30
Source: SecuriteInfo.com.FileRepMalware.6681.9154.tmp, 00000001.00000003.2159525943.000000000082F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: SecuriteInfo.com.FileRepMalware.6681.9154.tmp, 00000001.00000003.2156529245.00000000008BC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Process information queried: ProcessInformation Jump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00412040 BlockInput,_free,BlockInput, 13_2_00412040
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00497116 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 13_2_00497116
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00478430 __wcsnicmp,__wcsnicmp,__wcstoi64,_wcsrchr,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,LoadLibraryW,LoadLibraryW,LoadImageW,GetFileAttributesW,__wcsicoll,__wcsicoll,__wcsicoll,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,DeleteObject,GetIconInfo,GetObjectW,CreateFileW,GetFileSize,GlobalAlloc,CloseHandle,GlobalLock,CloseHandle,GlobalFree,ReadFile,GlobalUnlock,CloseHandle,CreateStreamOnHGlobal,OleLoadPicture,GlobalFree,DeleteObject,DeleteObject,DestroyIcon,LoadImageW,DestroyIcon,CopyImage,CopyImage,CreateIconIndirect,DeleteObject, 13_2_00478430
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_0049CFAE __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 13_2_0049CFAE
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00497116 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 13_2_00497116
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00494515 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_00494515
Contains functionality to launch a program with higher privileges
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00431A00 __wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,__wcsicoll,_memset,__swprintf,CreateProcessW,CloseHandle,CloseHandle,GetLastError,_memset,__wcsicoll,_wcschr,SetCurrentDirectoryW,_wcschr,_wcschr,GetFileAttributesW,_wcschr,SetCurrentDirectoryW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetLastError,FormatMessageW, 13_2_00431A00
Contains functionality to simulate keystroke presses
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_004114D0 GetCurrentThreadId,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,BlockInput,GetForegroundWindow,GetAsyncKeyState,keybd_event,keybd_event,GetAsyncKeyState,keybd_event,GetAsyncKeyState,BlockInput, 13_2_004114D0
Contains functionality to simulate mouse events
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_004123D0 GetAsyncKeyState,GetSystemMetrics,GetSystemMetrics,GetCursorPos,WindowFromPoint,GetWindowThreadProcessId,SendMessageW,mouse_event,mouse_event, 13_2_004123D0
Source: ESET key finder.exe Binary or memory string: Program Manager
Source: ESET key finder.exe Binary or memory string: Shell_TrayWnd
Source: ESET key finder.exe Binary or memory string: Progman
Source: SecuriteInfo.com.FileRepMalware.6681.9154.tmp, 00000001.00000003.2150730649.000000000578E000.00000004.00001000.00020000.00000000.sdmp, ESET key finder.exe, 0000000D.00000000.2149173747.00000000004A2000.00000002.00000001.01000000.0000000B.sdmp, ESET key finder.exe, 0000000D.00000002.2870851261.00000000004A2000.00000002.00000001.01000000.0000000B.sdmp Binary or memory string: @TextLEFTLRIGHTRMIDDLEMX1X2WUWDWLWR{Blind}{ClickLl{}^+!#{}RawTempASC U+ ,LWin RWin LShift RShift LCtrl RCtrl LAlt RAlt SYSTEM\CurrentControlSet\Control\Keyboard Layouts\Layout FileKbdLayerDescriptorsc%03Xvk%02XSCALTDOWNALTUPSHIFTDOWNSHIFTUPCTRLDOWNCONTROLDOWNCTRLUPCONTROLUPLWINDOWNLWINUPRWINDOWNRWINUPRtlGetVersionntdll.dll%u.%u.%uStdOutAllUnreachableClassOverwriteUseEnvLocalSameAsGlobalUseUnsetGlobalUseUnsetLocalYYYYYWeekYearYDayWorkingDirWinDirWinDelayWDayUserNameTitleMatchModeSpeedTitleMatchModeTimeSinceThisHotkeyTimeSincePriorHotkeyTimeIdlePhysicalTimeIdleMouseTimeIdleKeyboardTimeIdleTickCountThisMenuItemPosThisMenuItemThisMenuThisLabelThisHotkeyThisFuncStoreCapslockModeStartupCommonStartupStartMenuCommonStartMenuSecScriptNameScriptHwndScriptFullPathScriptDirScreenWidthScreenHeightScreenDPIRegViewPtrSizeProgramsCommonProgramsPriorKeyPriorHotkeyOSVersionOSTypeNumBatchLinesNowUTCNowMyDocumentsMSecMouseDelayPlayMouseDelayMonMMMMMMMMMMinMDayLoopRegTypeLoopRegTimeModifiedLoopRegSubKeyLoopRegNameLoopRegKeyLoopReadLineLoopFileTimeModifiedLoopFileTimeCreatedLoopFileTimeAccessedLoopFileSizeMBLoopFileSizeKBLoopFileSizeLoopFileShortPathLoopFileShortNameLoopFilePathLoopFileNameLoopFileLongPathLoopFileFullPathLoopFileExtLoopFileDirLoopFileAttribLoopFieldLineNumberLineFileLastErrorLanguageKeyDurationPlayKeyDurationKeyDelayPlayKeyDelayIsUnicodeIsSuspendedIsPausedIsCriticalIsCompiledIsAdminIs64bitOSIPAddress4IPAddress3IPAddress2IPAddress1InitialWorkingDirIndexIconTipIconNumberIconHiddenIconFileHourGuiYGuiXGuiWidthGuiHeightGuiEventGuiControlEventFormatIntegerFormatFloatExitReasonEventInfoEndCharDesktopCommonDesktopDefaultTreeViewDefaultMouseSpeedDefaultListViewDefaultGuiDDDDDDDDDCursorCoordModeToolTipCoordModePixelCoordModeMouseCoordModeMenuCoordModeCaretControlDelayComputerNameCaretYCaretXBatchLinesAppDataCommonAppDataAhkVersionAhkPathTrueProgramFilesFalseComSpecClipboardAll...%s[%Iu of %Iu]: %-1.60s%sPropertyRegExMatch\:\:REG_SZREG_EXPAND_SZREG_MULTI_SZREG_DWORDREG_BINARYDefault3264LineRegExFASTSLOWAscChrDerefHTMLModPowExpSqrtLogLnRoundCeilFloorAbsSinCosTanASinACosATanBitAndBitOrBitXOrBitNotBitShiftLeftBitShiftRightAddDestroyNamePriorityInterruptNoTimersLabelTypeCountLocalePermitMouseSendAndMouseMouseMoveOffPlayEventThenEventThenPlayYESNOOKCANCELABORTIGNORERETRYCONTINUETRYAGAINMINMAXHIDEScreenRelativeWindowClientPixelCaretIntegerFloatNumberTimeDateDigitXdigitAlnumAlphaUpperLowerUTF-8UTF-8-RAWUTF-16UTF-16-RAWCPFuncRemoveClipboardFormatListeneruser32AddClipboardFormatListenerTrayNo tray memstatus AHK_PlayMe modeclose AHK_PlayMeRegClassAutoHotkey2Shell_TrayWndCreateWindoweditConsolasLucida Console*ErrorLevel <>=/|^,:*&~!()[]{}+-?."'\;`IFWHILEClass>AUTOHOTKEY SCRIPT<Could not extract script from EXE./*#CommentFlag*/and<>=/|^,:<>=/|^,:.+-*&!?~::?*- Continuation section too long.JoinLTrimRTrimMissing ")"Functions cannot contain functions.Missing "{"Not a valid method, class or property definition.GetSetNot a valid property getter/setter.Hotkeys/hotstrings are n
Source: ESET key finder.exe, 0000000D.00000000.2149173747.00000000004B3000.00000002.00000001.01000000.0000000B.sdmp Binary or memory string: "%-1.300s"The maximum number of MsgBoxes has been reached.IsHungAppWindowDwmGetWindowAttributedwmapi.dllahk_idpidgroup%s%uProgram ManagerProgmanWorkerWError text not found (please report)Q\E{0,DEFINEUTF16)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument is compiled in 8 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K223H.tmp\SecuriteInfo.com.FileRepMalware.6681.9154.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Queries volume information: C:\Program Files (x86)\Sperhak Industries\ESET key finder\data\Sperhak logo.png VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00446050 GetSystemTime,GetLocalTime,__swprintf, 13_2_00446050
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00446250 GetComputerNameW,GetUserNameW, 13_2_00446250
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00415081 GetModuleHandleW,GetProcAddress,GetVersionExW,__snwprintf, 13_2_00415081
OS version to string mapping found (often used in BOTs)
Source: ESET key finder.exe Binary or memory string: WIN_XP
Source: ESET key finder.exe, 0000000D.00000002.2870851261.00000000004A2000.00000002.00000001.01000000.0000000B.sdmp Binary or memory string: ?*A Goto/Gosub must not jump into a block that doesn't enclose it.ddddddd%02d%dmsSlowLogoffSingle1.1.35.00\AutoHotkey.exeWIN32_NTWIN_8.1WIN_8WIN_7WIN_VISTAWIN_XPWIN_2003WIN_2000%04hX0x%Ix*pPIntStrPtrShortInt64DoubleAStrWStrgdi32comctl32kernel32W-3-4CDecl-2This DllCall requires a prior VarSetCapacity.Pos%sLen%sPos%dLen%dLenMarkpcre_calloutCompile error %d at offset %d: %hs-+0 #diouxXeEfgGaAcCpULlTt%0.*fCcFfSelectVisCenterUniDescLogicalNoSortAutoHdrFirstBoldExpandGDI+JoyJoyXJoyYJoyZJoyRJoyUJoyVJoyPOVJoyNameJoyButtonsJoyAxesJoyInfoGetProcessImageFileNameWpsapiT&L@
Source: ESET key finder.exe Binary or memory string: WIN_VISTA
Source: ESET key finder.exe Binary or memory string: WIN_7
Source: ESET key finder.exe Binary or memory string: WIN_8
Source: ESET key finder.exe Binary or memory string: WIN_8.1
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00417470 Shell_NotifyIconW,DeleteObject,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DeleteObject,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DestroyIcon,DestroyIcon,IsWindow,DestroyWindow,DeleteObject,RemoveClipboardFormatListener,ChangeClipboardChain,mciSendStringW,mciSendStringW,mciSendStringW,DeleteCriticalSection,OleUninitialize,_free,_free,_free, 13_2_00417470
Source: C:\Program Files (x86)\Sperhak Industries\ESET key finder\ESET key finder.exe Code function: 13_2_00417CC0 AddClipboardFormatListener,PostMessageW,SetClipboardViewer,RemoveClipboardFormatListener,ChangeClipboardChain, 13_2_00417CC0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1436479 Sample: SecuriteInfo.com.FileRepMal... Startdate: 05/05/2024 Architecture: WINDOWS Score: 28 42 Multi AV Scanner detection for dropped file 2->42 44 Contains functionality to register a low level keyboard hook 2->44 7 SecuriteInfo.com.FileRepMalware.6681.9154.exe 2 2->7         started        10 chrome.exe 1 2->10         started        process3 dnsIp4 22 SecuriteInfo.com.F...lware.6681.9154.tmp, PE32 7->22 dropped 13 SecuriteInfo.com.FileRepMalware.6681.9154.tmp 29 29 7->13         started        38 192.168.2.4, 138, 443, 49723 unknown unknown 10->38 40 239.255.255.250 unknown Reserved 10->40 16 chrome.exe 10->16         started        file5 process6 dnsIp7 24 C:\...\unins000.exe (copy), PE32 13->24 dropped 26 C:\Program Files (x86)\...\is-THR5T.tmp, PE32 13->26 dropped 28 C:\Program Files (x86)\...\is-D2QRV.tmp, PE32 13->28 dropped 30 2 other files (1 malicious) 13->30 dropped 19 ESET key finder.exe 13->19         started        32 www.google.com 142.251.16.103, 443, 49733, 49734 GOOGLEUS United States 16->32 34 plus.l.google.com 142.251.163.138, 443, 49742 GOOGLEUS United States 16->34 36 3 other IPs or domains 16->36 file8 process9 signatures10 46 Sample or dropped binary is a compiled AutoHotkey binary 19->46
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.251.16.103
 www.google.com United States
15169 GOOGLEUS false
142.251.167.113
 www3.l.google.com United States
15169 GOOGLEUS false
142.251.163.138
 plus.l.google.com United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false

Private

IP
192.168.2.4

Contacted Domains

Name IP Active
plus.l.google.com 142.251.163.138 true
www3.l.google.com 142.251.167.113 true
www.google.com 142.251.16.103 true
ogs.google.com unknown unknown
apis.google.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.google.com/async/newtab_promos false
    		high
    https://www.google.com/async/ddljson?async=ntp:2 false
      		high
      https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw false
        		high
        https://ogs.google.com/widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en false
          		high
          https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0 false
            		high
            https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0 false
              		high