Windows Analysis Report
setup_CodecInstaller_full.exe

Overview

General Information

Sample name:	setup_CodecInstaller_full.exe
Analysis ID:	1447786
MD5:	171b409b3248772cc366d31a44aed9f6
SHA1:	7f9d938717e1056c59a9e9afa958253fc95b4a27
SHA256:	6ae9662200adb0543d626774c9461e51ee484005251fc34f132ae7ae58b132c7
Infos:

Detection

EICAR

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected EICAR

Creates an undocumented autostart registry key

Disables DEP (Data Execution Prevention) for certain images

Machine Learning detection for dropped file

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Whitelists domains for ActiveX usage

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Changes the start page of internet explorer

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

May infect USB drives

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Common Autorun Keys Modification

Sigma detected: Internet Explorer Autorun Keys Modification

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Stores large binary data to the registry

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Antivirus detection for dropped file

Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe

Avira: detection malicious, Label: PUA/Crawler.Gen

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Crawler\CToolbar.exe (copy)	ReversingLabs: Detection: 21%
Source: C:\Program Files (x86)\Crawler\ctbr.dll (copy)	ReversingLabs: Detection: 25%
Source: C:\Program Files (x86)\Crawler\is-4A847.tmp	ReversingLabs: Detection: 25%
Source: C:\Program Files (x86)\Crawler\is-ADSTV.tmp	ReversingLabs: Detection: 21%
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	ReversingLabs: Detection: 29%

Multi AV Scanner detection for submitted file

Source: setup_CodecInstaller_full.exe	Virustotal: Detection: 31%			Perma Link
Source: setup_CodecInstaller_full.exe	ReversingLabs: Detection: 37%

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: setup_CodecInstaller_full.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe

Window detected: < &Back&Next >Cancel License AgreementPlease review the license terms before installing CodecInstaller 2.10.4.Press Page Down to see the rest of the agreement.COPYRIGHT NOTICEPermission is granted free of charge to any person (the "User") obtaining a copy of this software and associated documentation files (the "Software") to deal in the Software with the rights to use copy publish distribute and to permit persons to whom the Software is furnished to do so provided that:1) the above copyright notice(s) and this permission notice appear in all copies of the Software and that both the above copyright notice(s)2) this permission notice appear in supporting documentation3) the Software is not used for commercial purposes or commercial environments4) no money is asked to redistribute the softwareThe only exception to the 4th rule is that the Software can be freely included in cover CD/DVD distributed with PC magazinesAll other rights including decompilation modification and merging of the Software are reserved.For other uses not covered by this license or for commercial licensing please contact the author.THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR HOLDERS INCLUDED IN THIS NOTICE BE LIABLE FOR ANY CLAIM OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE DATA OR PROFITS WHETHER IN AN ACTION OF CONTRACT NEGLIGENCE OR OTHER TORTIOUS ACTION ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.PRIVACY POLICYThe full text of the privacy policy is available athttp://www.jockersoft.com/privacy.htmlIn short:This software may incorporate a module that will send error reports to jockersoft.com website to let us fix the errors and provide better programs to our users. The user can avoid sending the error report by unchecking the "Send error report" field. The error report contains the error message and the program name. It may also contain an installation ID that will let us distinguish multiple error submissions from the same application. This installation ID is a randomly generated number and is not correlated with information about individual users.No other data is collected.TERMS OF USE of jockersoft.com websiteThe full text of the Terms of Use of jockersoft.com website is available athttp://www.jockersoft.com/ToU.htmlIf you accept the terms of the agreement click the check box below. You must accept the agreement to install CodecInstaller 2.10.4. Click Next to continue.I &accept the terms in the License Agreement

Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	File created: C:\Program Files (x86)\JockerSoft\CodecInstaller\license.txt			Jump to behavior
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	File created: C:\Program Files (x86)\JockerSoft\CodecInstaller\README.txt			Jump to behavior

Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CodecInstaller.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll

Source:	Binary string: v:\tb5\ctipsdef\Release\ctipsdef.pdb source: CrawlerSetup12.tmp, 00000004.00000002.1929026516.0000000005920000.00000004.00001000.00020000.00000000.sdmp, is-RD52J.tmp.4.dr
Source:	Binary string: Extract: CodecInstaller.pdb source: setup_CodecInstaller_full.exe, 00000000.00000002.1867010508.000000000063D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CodecInstaller.pdb source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.000000000278D000.00000004.00000020.00020000.00000000.sdmp, setup_CodecInstaller_full.exe, 00000000.00000003.1865720129.0000000000664000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Marco PontelloREM 7Symbol Table / Debug info used by Microsoft's compilersRURLNhttp://msdn.microsoft.com/library/en-us/vsdebug/html/_core_The_..PDB_Files.aspFNUM source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: v:\tb5\ctipsdef\Release\ctipsdef.pdb@ source: CrawlerSetup12.tmp, 00000004.00000002.1929026516.0000000005920000.00000004.00001000.00020000.00000000.sdmp, is-RD52J.tmp.4.dr
Source:	Binary string: \enApp.icoaudiohex.txtAUTORUN.INFcodecDatabaseCodecInstaller.pdbfilterdatalib.dll source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.000000000278D000.00000004.00000020.00020000.00000000.sdmp, setup_CodecInstaller_full.exe, 00000000.00000003.1865720129.0000000000664000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: http://msdn.microsoft.com/library/en-us/vsdebug/html/_core_The_..PDB_Files.aspFNUM source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp

Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.000000000278D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUN.INF
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.000000000278D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \enApp.icoaudiohex.txtAUTORUN.INFcodecDatabaseCodecInstaller.pdbfilterdatalib.dll
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.000000000278D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.000000000278D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0x0000~unknown~unknown~unknown0[autorun]
Source: setup_CodecInstaller_full.exe, 00000000.00000003.1865435771.0000000000683000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Extract: AUTORUN.INF
Source: setup_CodecInstaller_full.exe, 00000000.00000003.1865720129.0000000000664000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUN.INF
Source: setup_CodecInstaller_full.exe, 00000000.00000003.1865720129.0000000000664000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \enApp.icoaudiohex.txtAUTORUN.INFcodecDatabaseCodecInstaller.pdbfilterdatalib.dll
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Autorun.inf fileEXT
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867121919.0000000000683000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Extract: AUTORUN.INF
Source: AUTORUN.INF.0.dr	Binary or memory string: [autorun]

Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	Code function: 0_2_00405D7C FindFirstFileA,FindClose,	0_2_00405D7C
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	Code function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_004053AA
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	Code function: 0_2_00402630 FindFirstFileA,	0_2_00402630

Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	File opened: C:\Users\user\AppData\Local\Temp\nspFDE9.tmp\	Jump to behavior
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	File opened: C:\Users\user\AppData\Local\Temp\nspFDE9.tmp\crawler.ini	Jump to behavior
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	File opened: C:\Users\user\	Jump to behavior

Source: Yara match	File source: 5.0.CodecInstaller.exe.f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CodecInstaller.exe, type: DROPPED

Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	Code function: 0_2_0040604C	0_2_0040604C
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	Code function: 0_2_00404772	0_2_00404772
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_024142A8	2_3_024142A8
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_0242A6B4	2_3_0242A6B4
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_0235E440	2_3_0235E440
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_0240287C	2_3_0240287C
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_023BEE8C	2_3_023BEE8C
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_0240CC5C	2_3_0240CC5C
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_023C8C78	2_3_023C8C78
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_023B9354	2_3_023B9354
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_023AB1D0	2_3_023AB1D0
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_0242B5E8	2_3_0242B5E8
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_023A5FA4	2_3_023A5FA4
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_023B9FEC	2_3_023B9FEC
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_02431C24	2_3_02431C24
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_0240A8EC	2_3_0240A8EC
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	Code function: 4_3_05BFECE3	4_3_05BFECE3
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	Code function: 4_3_05BF87EC	4_3_05BF87EC
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	Code function: 4_3_05BFEF0D	4_3_05BFEF0D
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	Code function: 4_3_05BFE6BD	4_3_05BFE6BD
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	Code function: 4_3_05BFEE49	4_3_05BFEE49
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	Code function: 4_3_05BFD1A2	4_3_05BFD1A2
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	Code function: 4_3_05BFD289	4_3_05BFD289
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	Code function: 4_3_05BF9A34	4_3_05BF9A34
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	Code function: 4_3_05BFD249	4_3_05BFD249
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	Code function: 4_3_06A5377E	4_3_06A5377E
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CodecInstaller.exe	Code function: 5_2_1CDCEC4E	5_2_1CDCEC4E
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CodecInstaller.exe	Code function: 5_2_1CDCA0F7	5_2_1CDCA0F7
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CodecInstaller.exe	Code function: 5_2_1CDCEC97	5_2_1CDCEC97
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CodecInstaller.exe	Code function: 5_2_00007FFD9BB1404A	5_2_00007FFD9BB1404A
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CodecInstaller.exe	Code function: 5_2_00007FFD9BB15DA1	5_2_00007FFD9BB15DA1
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CodecInstaller.exe	Code function: 5_2_00007FFD9BB11955	5_2_00007FFD9BB11955
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CodecInstaller.exe	Code function: 5_2_00007FFD9BB16FED	5_2_00007FFD9BB16FED

Source: CrawlerSetup12.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: CrawlerSetup12.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: CrawlerSetup12.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) Intel Itanium, for MS Windows
Source: CrawlerSetup12.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: CrawlerSetup12.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: CrawlerSetup12.tmp.2.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-ADSTV.tmp.4.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 19900 bytes, 2 files, at 0x2c +A "info.ini" +A "language.ini", number 1, 2 datablocks, 0x1 compression
Source: is-ADSTV.tmp.4.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 17466 bytes, 2 files, at 0x2c +A "info.ini" +A "language.ini", number 1, 2 datablocks, 0x1 compression
Source: is-ADSTV.tmp.4.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 20613 bytes, 2 files, at 0x2c +A "info.ini" +A "language.ini", number 1, 2 datablocks, 0x1 compression
Source: is-ADSTV.tmp.4.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 15401 bytes, 2 files, at 0x2c +A "info.ini" +A "language.ini", number 1, 2 datablocks, 0x1 compression
Source: is-ADSTV.tmp.4.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 20947 bytes, 2 files, at 0x2c +A "info.ini" +A "language.ini", number 1, 2 datablocks, 0x1 compression
Source: is-ADSTV.tmp.4.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 20917 bytes, 2 files, at 0x2c +A "info.ini" +A "language.ini", number 1, 2 datablocks, 0x1 compression
Source: is-ADSTV.tmp.4.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 20397 bytes, 2 files, at 0x2c +A "info.ini" +A "language.ini", number 1, 2 datablocks, 0x1 compression
Source: is-ADSTV.tmp.4.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 17781 bytes, 2 files, at 0x2c +A "info.ini" +A "language.ini", number 1, 2 datablocks, 0x1 compression
Source: is-ADSTV.tmp.4.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 18529 bytes, 2 files, at 0x2c +A "info.ini" +A "language.ini", number 1, 2 datablocks, 0x1 compression
Source: is-ADSTV.tmp.4.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 19933 bytes, 2 files, at 0x2c +A "info.ini" +A "language.ini", number 1, 2 datablocks, 0x1 compression
Source: is-ADSTV.tmp.4.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 20404 bytes, 2 files, at 0x2c +A "info.ini" +A "language.ini", number 1, 2 datablocks, 0x1 compression
Source: is-ADSTV.tmp.4.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 20289 bytes, 2 files, at 0x2c +A "info.ini" +A "language.ini", number 1, 3 datablocks, 0x1 compression
Source: is-ADSTV.tmp.4.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.000000000278D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: get_OriginalFilename vs setup_CodecInstaller_full.exe
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.000000000278D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCodecInstaller.exe8 vs setup_CodecInstaller_full.exe
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.000000000278D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCodecInstaller.resources.dll8 vs setup_CodecInstaller_full.exe
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ORIGINALFILENAME vs setup_CodecInstaller_full.exe
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ]WINDOWS 95 OR WINDOWS NT IS REQUIRED TO INSTALL[COMMAND LINE OPTION SYNTAX ERROR. TYPE COMMANDYFILEDESCRIPTIONWIN32 CABINET SELF-EXTRACTOR9ORIGINALFILENAMEWEXTRACT.EXE)CABINET IS NOT VALID.)INTERNALNAMEWEXTRACT'FILERENAMEOPERATIONSWEXTRACT_CLEANUP vs setup_CodecInstaller_full.exe
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eaLEGALTRADEMARKSTOOLBOOK IS A LEGAL TRADEMARK OFALEGALCOPYRIGHTPORTIONS COPYRIGHT9ASYMETRIXPORTIONS COPYRIGHT1FILEDESCRIPTIONTOOLBOOK)PRODUCTNAMETOOLBOOK'THIS PROGRAM CANNOT BE RUN IN DOS MODE.%ORIGINALFILENAMETB!4VS_VERSION_INFO vs setup_CodecInstaller_full.exe
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesetupHelper.exe8 vs setup_CodecInstaller_full.exe
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.000000000293D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCodecInstaller.resources.dll8 vs setup_CodecInstaller_full.exe
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002946000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCodecInstaller.resources.dll8 vs setup_CodecInstaller_full.exe
Source: setup_CodecInstaller_full.exe, 00000000.00000003.1865319731.00000000006D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs setup_CodecInstaller_full.exe
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002934000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCodecInstaller.resources.dll8 vs setup_CodecInstaller_full.exe
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002950000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCodecInstaller.resources.dll8 vs setup_CodecInstaller_full.exe
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002957000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCodecInstaller.resources.dll8 vs setup_CodecInstaller_full.exe
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002969000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCodecInstaller.resources.dll8 vs setup_CodecInstaller_full.exe
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002973000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCodecInstaller.resources.dll8 vs setup_CodecInstaller_full.exe
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002960000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCodecInstaller.resources.dll8 vs setup_CodecInstaller_full.exe

Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CodecInstaller.exe	Mutant created: NULL
Source: C:\Program Files (x86)\Crawler\CToolbar.exe	Mutant created: \Sessions\1\BaseNamedObjects\InitLang_SetLangID_TBR5
Source: C:\Program Files (x86)\Crawler\CToolbar.exe	Mutant created: \Sessions\1\BaseNamedObjects\TB4RunMtxctoolbarexeregsvr
Source: C:\Program Files (x86)\Crawler\CToolbar.exe	Mutant created: \Sessions\1\BaseNamedObjects\TB4RegisterMtx
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CodecInstaller.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files (x86)\Crawler\CToolbar.exe	Mutant created: \Sessions\1\BaseNamedObjects\CTSUPP_MTX_FF_COOKIES

Source: Yara match	File source: 7.0.CToolbar.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.1900724146.0000000000401000.00000020.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1929026516.0000000005920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\Crawler\is-AVISQ.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Crawler\is-4A847.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Crawler\is-ADSTV.tmp, type: DROPPED

Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\Crawler\CToolbar.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\Crawler\CToolbar.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\Crawler\CToolbar.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\Crawler\CToolbar.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\setup_CodecInstaller_full.exe "C:\Users\user\Desktop\setup_CodecInstaller_full.exe"
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	Process created: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe "C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe" /NORESTART /verysilent
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Process created: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp "C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp" /SL5="$304AA,2431449,71680,C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe" /NORESTART /verysilent
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	Process created: C:\Program Files (x86)\JockerSoft\CodecInstaller\CodecInstaller.exe "C:\Program Files (x86)\JockerSoft\CodecInstaller\CodecInstaller.exe"
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	Process created: C:\Program Files (x86)\Crawler\CToolbar.exe "C:\Program Files (x86)\Crawler\CToolbar.exe" /REGSVR
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	Process created: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe "C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe" /NORESTART /verysilent	Jump to behavior
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	Process created: C:\Program Files (x86)\JockerSoft\CodecInstaller\CodecInstaller.exe "C:\Program Files (x86)\JockerSoft\CodecInstaller\CodecInstaller.exe"	Jump to behavior
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Process created: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp "C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp" /SL5="$304AA,2431449,71680,C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe" /NORESTART /verysilent	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	Process created: C:\Program Files (x86)\Crawler\CToolbar.exe "C:\Program Files (x86)\Crawler\CToolbar.exe" /REGSVR	Jump to behavior

Source: CodecInstaller.lnk.0.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\JockerSoft\CodecInstaller\CodecInstaller.exe
Source: CodecInstaller.lnk0.0.dr	LNK file: ..\..\..\Program Files (x86)\JockerSoft\CodecInstaller\CodecInstaller.exe
Source: Website.lnk.0.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\JockerSoft\CodecInstaller\CodecInstaller.url
Source: Help.lnk.0.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\JockerSoft\CodecInstaller\codecinstaller_faq.html

Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	Automated click: Next >
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	Automated click: I accept the terms in the License Agreement
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	Automated click: Next >
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	Automated click: Next >
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	Automated click: Install

Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_023D6208 push 00486E30h; ret	2_3_023D622C
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_02372250 push 00422E78h; ret	2_3_02372274
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_023D6240 push 00486E68h; ret	2_3_023D6264
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_023D62BC push 00486EE4h; ret	2_3_023D62E0
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_0241A2DC push 004CAF25h; ret	2_3_0241A321
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_023DE294 push 0048EEC8h; ret	2_3_023DE2C4
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_023D6284 push 00486EACh; ret	2_3_023D62A8
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_024102FC push 004C0F24h; ret	2_3_02410320
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_023D62F4 push 00486F1Ch; ret	2_3_023D6318
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_023D633C push 00486F64h; ret	2_3_023D6360
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_0243A308 push 004EAF30h; ret	2_3_0243A32C
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_024043EC push 004B5014h; ret	2_3_02404410
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_023F63DC push 004A7004h; ret	2_3_023F6400
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_023DE3D4 push ecx; mov dword ptr [esp], edx	2_3_023DE3D5
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_023B6030 push 00466C58h; ret	2_3_023B6054
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_023DE06C push 0048EC94h; ret	2_3_023DE090
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_023D6054 push 00486C7Ch; ret	2_3_023D6078
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_023560AC push 00406CD4h; ret	2_3_023560D0
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_023DE0A4 push 0048ECD8h; ret	2_3_023DE0D4
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_023B60D8 push 00466D00h; ret	2_3_023B60FC
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_0240214C push 004B2D74h; ret	2_3_02402170
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_02356124 push 00406D4Ch; ret	2_3_02356148
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_023B6110 push 00466D38h; ret	2_3_023B6134
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_023DC144 push 0048CD6Ch; ret	2_3_023DC168
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_023681FC push 00418E45h; ret	2_3_02368241
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_023DE1F0 push 0048EE18h; ret	2_3_023DE214
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_023D41E8 push 00484E10h; ret	2_3_023D420C
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_023D61D0 push 00486DF8h; ret	2_3_023D61F4
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_02438644 push 004E926Ch; ret	2_3_02438668
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_023DE600 push 0048F234h; ret	2_3_023DE630
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Code function: 2_3_0237C654 push 0042D27Ch; ret	2_3_0237C678

Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	File created: C:\Program Files (x86)\Crawler\is-AVISQ.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	File created: C:\Program Files (x86)\JockerSoft\CodecInstaller\it\CodecInstaller.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	File created: C:\Users\user\AppData\Local\Temp\is-QHN33.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	File created: C:\Program Files (x86)\JockerSoft\CodecInstaller\ru\CodecInstaller.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	File created: C:\Program Files (x86)\Crawler\ctbr.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	File created: C:\Program Files (x86)\JockerSoft\CodecInstaller\filterdatalib.dll	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	File created: C:\Program Files (x86)\JockerSoft\CodecInstaller\fr\CodecInstaller.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	File created: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	File created: C:\Program Files (x86)\JockerSoft\CodecInstaller\trid.exe	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	File created: C:\Program Files (x86)\JockerSoft\CodecInstaller\uninst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	File created: C:\Program Files (x86)\JockerSoft\CodecInstaller\de\CodecInstaller.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	File created: C:\Users\user\AppData\Local\Temp\is-QHN33.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	File created: C:\Program Files (x86)\Crawler\CUpdate.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	File created: C:\Program Files (x86)\Crawler\is-RD52J.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	File created: C:\Program Files (x86)\JockerSoft\CodecInstaller\sv\CodecInstaller.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	File created: C:\Program Files (x86)\JockerSoft\CodecInstaller\tr\CodecInstaller.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	File created: C:\Program Files (x86)\Crawler\is-ADSTV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	File created: C:\Program Files (x86)\Crawler\CToolbar.exe (copy)	Jump to dropped file
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CrawlerSetup12.exe	File created: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	File created: C:\Program Files (x86)\JockerSoft\CodecInstaller\hu\CodecInstaller.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	File created: C:\Program Files (x86)\Crawler\is-HEK6I.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	File created: C:\Program Files (x86)\JockerSoft\CodecInstaller\pt\CodecInstaller.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	File created: C:\Program Files (x86)\JockerSoft\CodecInstaller\pl\CodecInstaller.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	File created: C:\Users\user\AppData\Local\Temp\is-QHN33.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	File created: C:\Users\user\AppData\Local\Temp\nspFDE9.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	File created: C:\Program Files (x86)\Crawler\CTipsDef.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	File created: C:\Program Files (x86)\Crawler\is-4A847.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	File created: C:\Program Files (x86)\JockerSoft\CodecInstaller\es\CodecInstaller.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	File created: C:\Users\user\AppData\Local\Temp\nspFDE9.tmp\InstallOptions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	File created: C:\Program Files (x86)\JockerSoft\CodecInstaller\setupHelper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	File created: C:\Program Files (x86)\Crawler\ctbcomm.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	File created: C:\Program Files (x86)\JockerSoft\CodecInstaller\CodecInstaller.exe	Jump to dropped file

Source: C:\Program Files (x86)\Crawler\CToolbar.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\tbr NULL	Jump to behavior
Source: C:\Program Files (x86)\Crawler\CToolbar.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\tbr NULL	Jump to behavior
Source: C:\Program Files (x86)\Crawler\CToolbar.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\tbr CLSID	Jump to behavior
Source: C:\Program Files (x86)\Crawler\CToolbar.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\tbr CLSID	Jump to behavior
Source: C:\Program Files (x86)\Crawler\CToolbar.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} NULL	Jump to behavior
Source: C:\Program Files (x86)\Crawler\CToolbar.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} NULL	Jump to behavior
Source: C:\Program Files (x86)\Crawler\CToolbar.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} NoExplorer	Jump to behavior
Source: C:\Program Files (x86)\Crawler\CToolbar.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} NoExplorer	Jump to behavior
Source: C:\Program Files (x86)\Crawler\CToolbar.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar {4B3803EA-5230-4DC3-A7FC-33638F3D3542}	Jump to behavior
Source: C:\Program Files (x86)\Crawler\CToolbar.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar {4B3803EA-5230-4DC3-A7FC-33638F3D3542}	Jump to behavior

Source: C:\Program Files (x86)\Crawler\CToolbar.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Crawler Toolbar	Jump to behavior
Source: C:\Program Files (x86)\Crawler\CToolbar.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Crawler Toolbar\More Crawler Products.lnk	Jump to behavior
Source: C:\Program Files (x86)\Crawler\CToolbar.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Crawler Toolbar\Toolbar Help.lnk	Jump to behavior
Source: C:\Program Files (x86)\Crawler\CToolbar.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Crawler Toolbar\Toolbar Settings.lnk	Jump to behavior
Source: C:\Program Files (x86)\Crawler\CToolbar.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Crawler Toolbar\Uninstall Crawler Toolbar.lnk	Jump to behavior

Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CodecInstaller.exe	Memory allocated: 940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CodecInstaller.exe	Memory allocated: 2740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\JockerSoft\CodecInstaller\CodecInstaller.exe	Memory allocated: 1A740000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Crawler\is-AVISQ.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	Dropped PE file which has not been started: C:\Program Files (x86)\JockerSoft\CodecInstaller\it\CodecInstaller.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QHN33.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	Dropped PE file which has not been started: C:\Program Files (x86)\JockerSoft\CodecInstaller\ru\CodecInstaller.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Crawler\ctbr.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	Dropped PE file which has not been started: C:\Program Files (x86)\JockerSoft\CodecInstaller\filterdatalib.dll	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	Dropped PE file which has not been started: C:\Program Files (x86)\JockerSoft\CodecInstaller\fr\CodecInstaller.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	Dropped PE file which has not been started: C:\Program Files (x86)\JockerSoft\CodecInstaller\trid.exe	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	Dropped PE file which has not been started: C:\Program Files (x86)\JockerSoft\CodecInstaller\uninst.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QHN33.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	Dropped PE file which has not been started: C:\Program Files (x86)\JockerSoft\CodecInstaller\de\CodecInstaller.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Crawler\CUpdate.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Crawler\is-RD52J.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	Dropped PE file which has not been started: C:\Program Files (x86)\JockerSoft\CodecInstaller\sv\CodecInstaller.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	Dropped PE file which has not been started: C:\Program Files (x86)\JockerSoft\CodecInstaller\tr\CodecInstaller.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Crawler\is-HEK6I.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	Dropped PE file which has not been started: C:\Program Files (x86)\JockerSoft\CodecInstaller\hu\CodecInstaller.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	Dropped PE file which has not been started: C:\Program Files (x86)\JockerSoft\CodecInstaller\pt\CodecInstaller.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	Dropped PE file which has not been started: C:\Program Files (x86)\JockerSoft\CodecInstaller\pl\CodecInstaller.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QHN33.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nspFDE9.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Crawler\is-4A847.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	Dropped PE file which has not been started: C:\Program Files (x86)\JockerSoft\CodecInstaller\es\CodecInstaller.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nspFDE9.tmp\InstallOptions.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-56AVD.tmp\CrawlerSetup12.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Crawler\ctbcomm.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	Dropped PE file which has not been started: C:\Program Files (x86)\JockerSoft\CodecInstaller\setupHelper.exe	Jump to dropped file

Windows Analysis Report setup_CodecInstaller_full.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Change of System Appearance

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
setup_CodecInstaller_full.exe

Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	File Volume queried: C:\Program Files (x86) FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\setup_CodecInstaller_full.exe	File Volume queried: C:\Program Files (x86) FullSizeInformation			Jump to behavior

Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TYPE9VMware 4 Virtual Harddisk description file for split diskEXT
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware configuration (Unix like ver.)EXT
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TYPE,VMware 4 Virtual Disk (part of a split disk)EXT
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: http://en.wikipedia.org/wiki/VMwareFNUM
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.comFNUM
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware 4 Virtual Disk (part of a split disk)EXT
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qcow is QEMU specific image format, with support for compression and optional AES Encription.RURL
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: http://www.qemu.com/FNUM
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TYPE VMware configuration (alternate)EXT
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMDKNAME"image-vmwaredisk-v4-split.trid.xmlUSER
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QEMU Copy On Write disk image (generic)EXT
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TYPE&VMware 4 Virtual Disc (monolitic disc)EXT
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware 4 Virtual Harddisk description file for split diskEXT
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Marco PontelloREM ]qcow is QEMU specific image format, with support for compression and optional AES Encription.RURL
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware configurationEXT
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: img-qemu.trid.xmlUSER
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TYPE'QEMU Copy On Write disk image (generic)EXT
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TYPE%VMware configuration (Unix like ver.)EXT
Source: CToolbar.exe, 00000007.00000002.1922609977.000000000085B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TritonioRURL&http://www.vmware.com/products/thinappFNUM
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/FNUM
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMDKNAME%image-vmwaredisk-description.trid.xmlUSER
Source: CodecInstaller.exe, 00000005.00000002.2880756166.000000001B2C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TYPE!(part of a) VMware 3 Virtual DiscEXT
Source: CrawlerSetup12.tmp, 00000004.00000003.1924782954.00000000006BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QEMU qcow disk imageEXT
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .VMCINFO
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Marco PontelloRURL#http://en.wikipedia.org/wiki/VMwareFNUM
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware 4 Virtual Disc (monolitic disc)EXT
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware configuration (alternate)EXT
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: image-vmwaredisk-description.trid.xmlUSER
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/products/thinappFNUM
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: image-vmwaredisk-v4.trid.xmlUSER
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware LocalizationEXT
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware BIOS stateEXT
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Virtual PC Virtual HD imageEXT
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: image-vmwaredisk-v4-split.trid.xmlUSER
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: image-vmwaredisk-v3.trid.xmlUSER
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (part of a) VMware 3 Virtual DiscEXT

Source: CrawlerSetup12.tmp, 00000004.00000002.1929026516.0000000005920000.00000004.00001000.00020000.00000000.sdmp, CToolbar.exe, 00000007.00000000.1900724146.0000000000401000.00000020.00000001.01000000.00000018.sdmp, is-ADSTV.tmp.4.dr	Binary or memory string: LC_CFGProgmanj
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Windows Program Manager GroupEXT
Source: setup_CodecInstaller_full.exe, 00000000.00000002.1867825999.0000000002981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OPTYPE_PROGMAN
Source: CrawlerSetup12.tmp, CrawlerSetup12.tmp, 00000004.00000002.1929026516.0000000005920000.00000004.00001000.00020000.00000000.sdmp, CToolbar.exe, 00000007.00000000.1900724146.0000000000401000.00000020.00000001.01000000.00000018.sdmp, is-ADSTV.tmp.4.dr	Binary or memory string: Progman

ID:	1447786
Product:	CloudBasic
Start time:	02:58:54
Start date:	27.05.2024
Sample:	setup_CodecInstaller_full.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	171b409b3248772cc366d31a44aed9f6
SHA1:	7f9d938717e1056c59a9e9afa958253fc95b4a27
SHA256:	6ae9662200adb0543d626774c9461e51ee484005251fc34f132ae7ae58b132c7
Filetype:	Win32 Executable (generic) a (10002005/4) 92.16%