Windows Analysis Report
ALC700V1.0.0.7a.exe

Overview

General Information

Sample name: ALC700V1.0.0.7a.exe
Analysis ID: 1447844
MD5: 44a0ff24ec7706b11ad67c11c0afc666
SHA1: 70c7ececcf65c4cc292f4e3afbc3e8e4d2ff2d4f
SHA256: 8051763b55989582af9a7918644077623332b3f6298c4ae2399f4c2f1430d8ae
Infos:

Detection

Score: 6
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Signatures

Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Execution From GUID Like Folder Names
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Uses 32bit PE files
Source: ALC700V1.0.0.7a.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Binary string: ALC700.pdb source: MSI8386.tmp.2.dr
Source: Binary string: \V1.0.0.2\ALC700\obj\Debug\ALC700.pdb source: ALC700V1.0.0.2.exe.2.dr
Source: Binary string: C:\CodeBases\isdev\Redist\Language Independent\x64\ISBEW64.pdb source: ISBEW64.exe, 0000000A.00000000.1942394263.0000000140012000.00000002.00000001.01000000.00000006.sdmp, ISBEW64.exe, 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmp, ISBEW64.exe.9.dr
Source: Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\_IsRes2k\0009-English\Debug\_IsRes.pdb source: _isres.dll.9.dr
Source: Binary string: E:\VS WS\ALC700\ALC700\obj\Debug\ALC700.pdb source: ALC700.exe.2.dr
Source: Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\_IsRes2k\0009-English\Debug\_IsRes.pdb0 source: _isres.dll.9.dr
Source: Binary string: \V1.0.0.3\ALC700\obj\Debug\ALC700.pdb source: ALC700V1.0.0.3.exe.2.dr
Source: Binary string: ALC700.pdb@@@ source: MSI8386.tmp.2.dr
Source: Binary string: alc700.pdb source: MSI8386.tmp.2.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_0043CACF __EH_prolog,GetProcAddress,SearchPathW,GetModuleFileNameW,FindFirstFileW,VirtualProtect,VirtualQuery,VirtualProtect,VirtualProtect,FindClose,FindClose, 0_2_0043CACF
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_0041768E __EH_prolog,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,FindClose, 0_2_0041768E
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe Code function: 4x nop then or byte ptr [rax-01h], 00000008h 10_2_000000014000E8A0
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe Code function: 4x nop then movsxd rbx, qword ptr [r14+10h] 10_2_0000000140008E40
Source: MSI8386.tmp.2.dr String found in binary or memory: http://www.SmartGen.com
Source: _isres.dll.9.dr, ISBEW64.exe.9.dr, ISRT.dll.9.dr String found in binary or memory: http://www.acresso.com0
Source: ALC700V1.0.0.3.exe.2.dr, ALC700.exe.2.dr, ALC700V1.0.0.2.exe.2.dr String found in binary or memory: http://www.smartgen.com.cn/soft/shuomingshu/ALC700
Source: ALC700V1.0.0.3.exe.2.dr, ALC700.exe.2.dr, ALC700V1.0.0.2.exe.2.dr String found in binary or memory: http://www.smartgen.com.cn/ziliao.html
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_0042DA98 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx, 0_2_0042DA98
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\4280a8.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\4280a9.mst Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{5D00ED55-C696-4760-A65D-39DCD0EDE479} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8386.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEPRO32_f0.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_STDOLE_f1.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEAUT32_f2.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEAUT32_f3.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\ARPPRODUCTICON.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\ALC700.exe_7A1B2C9513F744CFB0D29EC2A28A035D.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\UNINST_Uninstall_A_EA7F3D3DD29C46D9BED64B9B56BFF9AD.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\ALC700.exe1_2075C35845C24B1A973EEF051A490E77.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\4280ab.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\4280ab.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\1033.MST Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI9182.tmp Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\4280ab.msi Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_00416379 0_2_00416379
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_00444030 0_2_00444030
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_00440540 0_2_00440540
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_0043A7F9 0_2_0043A7F9
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_00444920 0_2_00444920
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_00440C54 0_2_00440C54
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_00442D40 0_2_00442D40
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_00440EC2 0_2_00440EC2
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_00434E80 0_2_00434E80
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_004432C0 0_2_004432C0
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_004438B0 0_2_004438B0
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_00443BA0 0_2_00443BA0
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_00441E10 0_2_00441E10
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe Code function: 10_2_0000000140001C90 10_2_0000000140001C90
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe Code function: 10_2_0000000140004930 10_2_0000000140004930
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe Code function: 10_2_0000000140004210 10_2_0000000140004210
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe Code function: 10_2_000000014000A630 10_2_000000014000A630
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe Code function: 10_2_0000000140005230 10_2_0000000140005230
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: String function: 004312B8 appears 322 times
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: String function: 00408512 appears 83 times
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: String function: 00407C06 appears 37 times
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: String function: 00401504 appears 72 times
Sample file is different than original file name gathered from version info
Source: ALC700V1.0.0.7a.exe, 00000000.00000002.2010613606.0000000000464000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSetup.exe vs ALC700V1.0.0.7a.exe
Source: ALC700V1.0.0.7a.exe Binary or memory string: OriginalFilenameSetup.exe vs ALC700V1.0.0.7a.exe
Uses 32bit PE files
Source: ALC700V1.0.0.7a.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: clean6.winEXE@8/80@0/0
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_0042DA98 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx, 0_2_0042DA98
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_0042CE90 LoadLibraryW,GetProcAddress,lstrcpyW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,FreeLibrary, 0_2_0042CE90
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe Code function: 10_2_0000000140005F00 CoCreateInstance, 10_2_0000000140005F00
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_0040B42F FindResourceW,SizeofResource,LoadResource,LockResource, 0_2_0040B42F
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\SmartGen Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\Public\Desktop\ALC700V1.0.0.7.exe.lnk Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe File created: C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\ Jump to behavior
Source: ALC700V1.0.0.7a.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe File read: C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\Setup.INI Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe File read: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe "C:\Users\user\Desktop\ALC700V1.0.0.7a.exe"
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Process created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i "C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\ALC700.msi" TRANSFORMS="C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\1033.MST" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="ALC700V1.0.0.7a.exe"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding AE1C5CB6EAA2F7204ACFFD8FF0580D22
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{ECFD35B4-EE7C-4A3E-8C20-772B5E9C8DE7}
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Process created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i "C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\ALC700.msi" TRANSFORMS="C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\1033.MST" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="ALC700V1.0.0.7a.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding AE1C5CB6EAA2F7204ACFFD8FF0580D22 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{ECFD35B4-EE7C-4A3E-8C20-772B5E9C8DE7} Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: riched32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe File written: C:\Users\user\AppData\Local\Temp\{7EE72123-8FB4-413B-85F2-4624F9EAE8C0}\Setup.INI Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Automated click: OK
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Install
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Windows\SysWOW64\RICHED32.DLL Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: ALC700V1.0.0.7a.exe Static file information: File size 17546140 > 1048576
Source: Binary string: ALC700.pdb source: MSI8386.tmp.2.dr
Source: Binary string: \V1.0.0.2\ALC700\obj\Debug\ALC700.pdb source: ALC700V1.0.0.2.exe.2.dr
Source: Binary string: C:\CodeBases\isdev\Redist\Language Independent\x64\ISBEW64.pdb source: ISBEW64.exe, 0000000A.00000000.1942394263.0000000140012000.00000002.00000001.01000000.00000006.sdmp, ISBEW64.exe, 0000000A.00000002.1947204084.0000000140012000.00000002.00000001.01000000.00000006.sdmp, ISBEW64.exe.9.dr
Source: Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\_IsRes2k\0009-English\Debug\_IsRes.pdb source: _isres.dll.9.dr
Source: Binary string: E:\VS WS\ALC700\ALC700\obj\Debug\ALC700.pdb source: ALC700.exe.2.dr
Source: Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\_IsRes2k\0009-English\Debug\_IsRes.pdb0 source: _isres.dll.9.dr
Source: Binary string: \V1.0.0.3\ALC700\obj\Debug\ALC700.pdb source: ALC700V1.0.0.3.exe.2.dr
Source: Binary string: ALC700.pdb@@@ source: MSI8386.tmp.2.dr
Source: Binary string: alc700.pdb source: MSI8386.tmp.2.dr
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_0042CE90 LoadLibraryW,GetProcAddress,lstrcpyW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,FreeLibrary, 0_2_0042CE90
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_004312B8 push eax; ret 0_2_004312D6
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_00431980 push eax; ret 0_2_004319AE
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.6.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEAUT32_f3.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\zh-CN\ALC700.resources.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_STDOLE_f1.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\Interop.TeeChart.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\ALC700.exe_7A1B2C9513F744CFB0D29EC2A28A035D.exe Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.2.exe Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\_isres.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI9182.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\UNINST_Uninstall_A_EA7F3D3DD29C46D9BED64B9B56BFF9AD.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\ARPPRODUCTICON.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEPRO32_f0.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\stdole.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\TeeChart5.ocx Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.4.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.3.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\ALC700.exe1_2075C35845C24B1A973EEF051A490E77.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEAUT32_f2.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.5.exe Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISRT.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\en-US\ALC700.resources.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\AxInterop.TeeChart.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEAUT32_f3.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\ALC700.exe1_2075C35845C24B1A973EEF051A490E77.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_STDOLE_f1.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEAUT32_f2.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\ALC700.exe_7A1B2C9513F744CFB0D29EC2A28A035D.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI9182.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\UNINST_Uninstall_A_EA7F3D3DD29C46D9BED64B9B56BFF9AD.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\ARPPRODUCTICON.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEPRO32_f0.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEPRO32_f0.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_STDOLE_f1.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEAUT32_f2.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEAUT32_f3.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Windows\System32\msiexec.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SmartGen Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SmartGen\ALC700 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SmartGen\ALC700\ALC700V1.0.0.7.exe.lnk Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SmartGen\ALC700\Uninstall ALC700V1.0.0.7.lnk Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_0043C8C3 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0043C8C3
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\stdole.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.6.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\TeeChart5.ocx Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEAUT32_f3.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.4.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.3.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\zh-CN\ALC700.resources.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\ALC700.exe1_2075C35845C24B1A973EEF051A490E77.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_STDOLE_f1.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEAUT32_f2.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\ALC700.exe_7A1B2C9513F744CFB0D29EC2A28A035D.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\Interop.TeeChart.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.2.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\ALC700V1.0.0.5.exe Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\_isres.dll Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISRT.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\en-US\ALC700.resources.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI9182.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\UNINST_Uninstall_A_EA7F3D3DD29C46D9BED64B9B56BFF9AD.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\SmartGen\ALC700\V1.0.0.7\AxInterop.TeeChart.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\{5D00ED55-C696-4760-A65D-39DCD0EDE479}\ARPPRODUCTICON.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\55DE00D5696C06746AD593CD0DDE4E97\1.0.0\Global_System_OLEPRO32_f0.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 Jump to dropped file
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_0043CACF __EH_prolog,GetProcAddress,SearchPathW,GetModuleFileNameW,FindFirstFileW,VirtualProtect,VirtualQuery,VirtualProtect,VirtualProtect,FindClose,FindClose, 0_2_0043CACF
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_0041768E __EH_prolog,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,FindClose, 0_2_0041768E
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_00423496 GetVersionExW,GetSystemInfo, 0_2_00423496
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe Code function: 10_2_0000000140007C20 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_0000000140007C20
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_0042CE90 LoadLibraryW,GetProcAddress,lstrcpyW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,FreeLibrary, 0_2_0042CE90
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_00403D56 GetFileSize,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,ReadFile,lstrlenA,MultiByteToWideChar,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,ReadFile,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_00403D56
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_004369A3 SetUnhandledExceptionFilter, 0_2_004369A3
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_004369B5 SetUnhandledExceptionFilter, 0_2_004369B5
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe Code function: 10_2_0000000140007C20 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_0000000140007C20
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe Code function: 10_2_000000014000ADF0 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_000000014000ADF0
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe Code function: 10_2_000000014000B200 SetUnhandledExceptionFilter, 10_2_000000014000B200
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe Code function: 10_2_000000014000AE90 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_000000014000AE90
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe Code function: 10_2_000000014000AFA0 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_000000014000AFA0
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i "c:\users\user\appdata\local\temp\{7ee72123-8fb4-413b-85f2-4624f9eae8c0}\alc700.msi" transforms="c:\users\user\appdata\local\temp\{7ee72123-8fb4-413b-85f2-4624f9eae8c0}\1033.mst" setupexedir="c:\users\user\desktop" setupexename="alc700v1.0.0.7a.exe"
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i "c:\users\user\appdata\local\temp\{7ee72123-8fb4-413b-85f2-4624f9eae8c0}\alc700.msi" transforms="c:\users\user\appdata\local\temp\{7ee72123-8fb4-413b-85f2-4624f9eae8c0}\1033.mst" setupexedir="c:\users\user\desktop" setupexename="alc700v1.0.0.7a.exe" Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_004292D3 __EH_prolog,InitializeSecurityDescriptor,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,SetSecurityDescriptorDacl,CoInitializeSecurity,LocalFree,LocalFree, 0_2_004292D3
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_0042DB6D GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid, 0_2_0042DB6D
Source: MSI9182.tmp.2.dr Binary or memory string: ?OPTYPE_PROGMAN_FIELDSWWW
Source: ALC700V1.0.0.7a.exe Binary or memory string: Shell_TrayWnd
Source: ALC700V1.0.0.7a.exe Binary or memory string: %sSetupLogFileNameSoftware\InstallShield\ISWI\7.0\SetupExeLog /z/verbose %IS_V%verboseISSetupSoftware\Microsoft\Windows\CurrentVersion\Run/uninstuninst%IS_T%tempdisk1folder/SMS/sSMS/rremoveasmajorupgraderebootrunfromtemprunas/removeonlyremoveonly/noscript_uninstnoscript_uninst/m1/m2/m/jdefaultinstance=hide_splashhide_progress/f2/fSoftware\Microsoft\Windows\CurrentVersion%IS_E%}embed{/ddebuglog/a/autoauto%s%dkeyLanguagescountShell_TrayWndSplashTimeTahomaCancel%x,ALLCANCELDescriptionTitleMSlovenianBasque%#04x0x0409.iniNoSuppressRebootKeyDotNetOptionalInstallIfSilentDotNetOptionalSETUPEXENAMESETUPEXEDIRCertKeyCacheFolderCacheRootLocationTypeSuppressWrongOSSuppressReboot\""dotnetredistSp3.exevjredist20-LP.exevjredist-LP.exelangpack20.exelangpack.exedotnetfxsp1.exe0Microsoft(R) .NET FrameworkJ#CmdLine/jscmd:\"""/q:a /c:\" /redistui:F /redistui:SJ#Version/jsharpver:DotNetLangPacks /langs: /coreui:DotNetLangPackCmd /langcmd:"/q:a /c:\"""DotNetFxCmd" /c:"/redistui:F/redistui:S /ver: /q:a /l /q:a /c:"install /q"vjredist20.exevjredist.exedotnetfx20.exeDotNetCoreSetupUILang1033dotnetredist.exedotnetfx.exeisnetfx.exeInstallerLocationSoftware\Microsoft\Windows\CurrentVersion\InstallerSystem is Win9x or reboot is not being suppressed, reboot will be immediateReboot will be deferredRedist return value (%d) indicates a reboot is required, DotNetDelayReboot is %xC:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\msiaction.cppDotNetDelayReboot3.03.0.0.02.0.0.0J#OptionalJ#InstallOptionIfSilentReboot needed: %snoyesDelaying redist reboot...Reboot not suppressed, SuppressReboot set to NReboot not suppressed, SuppressReboot not set and MSI installedSuppressReboot set to Yes or MSI not being installed, suppressing rebootInstallSourceGot file '%s' for MSI engine installinstmsi30.exeAttempting to get MSI 3.0 redist insteadFailed to get fileAttempting to get file '%s' for MSI engine installWindowsInstaller-KB893803-x86.exeMSI 3.1 to be installed, was not installed with redist packageWindows Installer 4.5 or newer is required to run this installation but is not present on the machine. Setup will now exit.4.05.0.0Msi.DLLScriptDriven*.mst TRANSFORMS="\.mst.mst"TRANSFORMS=TRANSFORMS="Failed to locate ISSetup.dll (%s)MsiAction::InstallMsi - calling Reboot%s /a "%s"%s%s /f%s "%s" %s%s /j%s "%s" %s%s /x "%s" %s/p"%s" %s%s /p "%s" %s%s /i "%s" %s%s="%s" %s="%s"ISSCRIPTCMDLINE="ISSCRIPTCMDLINE%dMsiAction::Reboot command line %s\0001 /debuglog""%s" %s /l%d /t"%s" /e"%s" /v"%s" %s"%s" /k %s /l%d /t"%s" /e"%s" /w /v"%s" %s/c/x/p AFTERREBOOT=1Software\Microsoft\Windows\CurrentVersion\RunOnceSoftware\Microsoft\Windows\CurrentVersion\RunOnceExSOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries" /%SupportOSSupportOSMsi12SupportOSMsi30/c:"msiinst /delayrebootq""%s" /c:"msiinst /delayrebootq"/quiet /norestart"%s" /quiet /norestart/q"%s" /q2.0.2600.0Installing MSI engine %sInstall does not use scriptInstall is script driven (ISMSI)Install is basic with InstallScript custom acti
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: GetLocaleInfoW, 0_2_0042DCF0
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: GetLocaleInfoW,TranslateCharsetInfo, 0_2_0042DC93
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe Code function: GetLocaleInfoA, 10_2_0000000140010B70
Source: C:\Users\user\AppData\Local\Temp\{D77C1E86-1C1F-478B-BAB3-8C160D69DA7E}\ISBEW64.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 10_2_0000000140006FA0
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_00417A58 __EH_prolog,lstrlenW,wsprintfW,GetSystemTimeAsFileTime, 0_2_00417A58
Source: C:\Users\user\Desktop\ALC700V1.0.0.7a.exe Code function: 0_2_0041946E __EH_prolog,GetVersionExW,GetTempPathW,GetWindowsDirectoryW, 0_2_0041946E
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1447844 Sample: ALC700V1.0.0.7a.exe Startdate: 27/05/2024 Architecture: WINDOWS Score: 6 6 msiexec.exe 344 80 2->6         started        9 ALC700V1.0.0.7a.exe 25 2->9         started        file3 18 UNINST_Uninstall_A...ED64B9B56BFF9AD.exe, PE32 6->18 dropped 20 C:\Windows\Installer\...\ARPPRODUCTICON.exe, PE32 6->20 dropped 22 ALC700.exe_7A1B2C9...0D29EC2A28A035D.exe, PE32 6->22 dropped 24 18 other files (none is malicious) 6->24 dropped 11 msiexec.exe 50 6->11         started        14 msiexec.exe 5 9->14         started        process4 file5 26 C:\Users\user\AppData\Local\...\_isres.dll, PE32 11->26 dropped 28 C:\Users\user\AppData\Local\Temp\...\ISRT.dll, PE32 11->28 dropped 30 C:\Users\user\AppData\Local\...\ISBEW64.exe, PE32+ 11->30 dropped 16 ISBEW64.exe 11->16         started        process6
No contacted IP infos