Windows Analysis Report
StretchInstall.exe

Overview

General Information

Sample name: StretchInstall.exe
Analysis ID: 1467084
MD5: 3f82a2195043cd2877b674cb321e2cf7
SHA1: c2925fed17cba166db7164abdc0eb1f41de9717d
SHA256: 8f77b3b68bdfa80e0688a09c5e08ed765b6783192f4792524b8a1eec7ed7b608
Infos:

Detection

Score: 24
Range: 0 - 100
Whitelisted: false
Confidence: 0%

Signatures

Contains functionality to register a low level keyboard hook
Installs a global keyboard hook
Checks for available system drives (often done to infect USB drives)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a global mouse hook
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\StretchInstall.exe Code function: 0_2_01006205 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 0_2_01006205
Uses 32bit PE files
Source: StretchInstall.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe File created: C:\Users\user\AppData\Local\Temp\VSDAAAD.tmp\install.log Jump to behavior
Source: Binary string: wextract.pdb source: StretchInstall.exe
Source: Binary string: setup.pdb source: setup.exe, setup.exe, 00000002.00000000.2092317947.0000000000D21000.00000020.00000001.01000000.00000005.sdmp, setup.exe, 00000002.00000002.3342575243.0000000000D21000.00000020.00000001.01000000.00000005.sdmp, setup.exe.0.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Code function: 0_2_01002A96 FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_01002A96
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: 2_2_00D2DE9F __EH_prolog3_GS,FindFirstFileW,FindNextFileW,FindClose,FindClose, 2_2_00D2DE9F
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00F83089 GetModuleHandleA,GetProcAddress,FindFirstFileA, 11_2_00F83089
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00F83477 _strcpy_s,lstrlenA,SetLastError,FindFirstFileA,GetLastError,__fullpath,__splitpath_s,__makepath_s, 11_2_00F83477
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00F7D99C __EH_prolog3_GS,GetFullPathNameA,__cftof,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,_strcpy_s, 11_2_00F7D99C
Source: C:\Windows\System32\msiexec.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Installer\{1D2F2573-A76A-47DA-BB96-6860D17CC45B} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Installer Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: StchCtrl.exe, 0000000B.00000002.3342588557.00000000010D9000.00000002.00000001.01000000.00000008.sdmp, Stretch.exe.4.dr, StchCtrl.exe.4.dr String found in binary or memory: http://activate.esellerate.net
Source: StchCtrl.exe.4.dr String found in binary or memory: http://activate.esellerate.net).
Source: setup.exe, 00000002.00000002.3342719410.0000000002356000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.microsoft.c
Source: StchCtrl.exe, 0000000B.00000002.3342588557.00000000010D9000.00000002.00000001.01000000.00000008.sdmp, Stretch.exe.4.dr, StchCtrl.exe.4.dr String found in binary or memory: http://www.esellerate.net/papolicy
Source: StchCtrl.exe, 0000000B.00000002.3342588557.00000000010D9000.00000002.00000001.01000000.00000008.sdmp, Stretch.exe.4.dr, StchCtrl.exe.4.dr String found in binary or memory: http://www.esellerate.net/papolicyhttp://activate.esellerate.netSelect
Source: StchCtrl.exe, 0000000B.00000002.3342588557.00000000010D9000.00000002.00000001.01000000.00000008.sdmp, Stretch.exe.4.dr, StchCtrl.exe.4.dr String found in binary or memory: http://www.esellerate.net/privacy.asp
Source: StchCtrl.exe, 0000000B.00000002.3342588557.00000000010D9000.00000002.00000001.01000000.00000008.sdmp, Stretch.exe.4.dr, StchCtrl.exe.4.dr String found in binary or memory: http://www.esellerate.net/privacy.aspCONNECTION
Source: StchCtrl.exe, 0000000B.00000002.3342928233.000000006BCFA000.00000002.00000001.01000000.0000000A.sdmp, StretchRes.dll.4.dr String found in binary or memory: http://www.shelterpub.com/
Source: StchCtrl.exe, 0000000B.00000002.3342928233.000000006BCFA000.00000002.00000001.01000000.0000000A.sdmp, StretchRes.dll.4.dr String found in binary or memory: http://www.stretchware.com/
Source: StchCtrl.exe.4.dr String found in binary or memory: http://www.stretchware.com/expire.html
Source: StchCtrl.exe, 0000000B.00000002.3342928233.000000006BCFA000.00000002.00000001.01000000.0000000A.sdmp, StretchRes.dll.4.dr String found in binary or memory: http://www.stretchware.com/expire.htmlPAMornKeybWrisStrsLbakStanStifSpon
Source: StretchRes.dll.4.dr String found in binary or memory: http://www.stretchware.com/stretching_resources.html(http://www.stretchware.com/products.html

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_73F712A0 SetWindowsHookExA 00000002,?KeyboardProc@@YGJHIJ@Z,?,00000000 11_2_73F712A0
Installs a global keyboard hook
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Windows user hook set: 0 keyboard C:\Program Files (x86)\Shelter Publications\StretchWare\StretchHook.dll Jump to behavior
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Windows user hook set: 0 mouse C:\Program Files (x86)\Shelter Publications\StretchWare\StretchHook.dll Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_0100969E __EH_prolog3_catch_GS,CreateCompatibleDC,CreateCompatibleBitmap,FillRect,OpenClipboard,EmptyClipboard,CloseClipboard,SetClipboardData,CloseClipboard, 11_2_0100969E
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00F7A00F GetPropA,GlobalLock,SendMessageA,SendMessageA,GlobalUnlock,RemovePropA,GlobalFree,GlobalUnlock,GetAsyncKeyState,SendMessageA, 11_2_00F7A00F
Installs a global mouse hook
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Windows user hook set: 0 mouse C:\Program Files (x86)\Shelter Publications\StretchWare\StretchHook.dll Jump to behavior
Potential key logger detected (key state polling based)
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00FC0035 MessageBeep,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetKeyState,SendMessageA,GetKeyState,SendMessageA,SendMessageA,GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,SendMessageA,GetKeyState,SendMessageA,GetKeyState,SendMessageA,SendMessageA, 11_2_00FC0035
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00FB235A GetKeyState,GetKeyState,GetKeyState, 11_2_00FB235A
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00F94665 IsWindow,SendMessageA,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen, 11_2_00F94665
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00F927D9 IsWindow,SendMessageA,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen, 11_2_00F927D9
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00FC0BF8 GetParent,GetKeyState,GetKeyState,GetKeyState,SendMessageA,SendMessageA,SendMessageA, 11_2_00FC0BF8
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00F6F1C6 SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA, 11_2_00F6F1C6
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00FB3910 ScreenToClient,_memset,_free,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow, 11_2_00FB3910
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00F6DAD0 GetKeyState,GetKeyState,GetKeyState, 11_2_00F6DAD0
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00F6DA80 GetKeyState,GetKeyState,GetKeyState,MessageBeep, 11_2_00F6DA80
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00FDBC1B GetWindowRect,GetKeyState,GetKeyState,GetKeyState,KillTimer,GetFocus,SetTimer, 11_2_00FDBC1B
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00F75E51 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 11_2_00F75E51
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00FCDF74 GetKeyState,GetKeyState,GetKeyState,GetKeyState, 11_2_00FCDF74
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_73F71160 GetKeyState,GetKeyState,GetKeyState,GetKeyState,FindWindowA,PostMessageA, 11_2_73F71160
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\StretchInstall.exe Code function: 0_2_01002251 ExitWindowsEx, 0_2_01002251
Source: C:\Users\user\Desktop\StretchInstall.exe Code function: 0_2_010019C3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx, 0_2_010019C3
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: 2_2_00D4509A __EH_prolog3_catch_GS,HeapSetInformation,CoInitialize,CloseHandle,CoUninitialize,FreeLibrary,MessageBoxW,ExitWindowsEx,CloseHandle,CoUninitialize,FreeLibrary,MessageBoxW,KiUserCallbackDispatcher,CloseHandle,CoUninitialize,FreeLibrary,CloseHandle,CoUninitialize,FreeLibrary,CloseHandle,CoUninitialize,FreeLibrary,CoUninitialize,FreeLibrary,__CxxThrowException@8,CoUninitialize,MessageBoxW,Sleep,CoUninitialize,FreeLibrary,MessageBoxW,CoUninitialize,CoUninitialize,CoUninitialize, 2_2_00D4509A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: 2_2_00D41C67 __EH_prolog3_GS,CloseHandle,ExitWindowsEx, 2_2_00D41C67
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00F61CE0 _memset,CreateProcessA,MessageBoxA,ExitWindowsEx,PostQuitMessage, 11_2_00F61CE0
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\3ad363.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{1D2F2573-A76A-47DA-BB96-6860D17CC45B} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID586.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\3ad365.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\3ad365.msi Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\3ad365.msi Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\StretchInstall.exe Code function: 0_2_0100871A 0_2_0100871A
Source: C:\Users\user\Desktop\StretchInstall.exe Code function: 0_2_01009A1F 0_2_01009A1F
Source: C:\Users\user\Desktop\StretchInstall.exe Code function: 0_2_01008A3E 0_2_01008A3E
Source: C:\Users\user\Desktop\StretchInstall.exe Code function: 0_2_01009175 0_2_01009175
Source: C:\Users\user\Desktop\StretchInstall.exe Code function: 0_2_01008DBD 0_2_01008DBD
Source: C:\Users\user\Desktop\StretchInstall.exe Code function: 0_2_010095E5 0_2_010095E5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: 2_2_00D4509A 2_2_00D4509A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: 2_2_00D611BB 2_2_00D611BB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: 2_2_00D64334 2_2_00D64334
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: 2_2_00D5C5BF 2_2_00D5C5BF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: 2_2_00D62656 2_2_00D62656
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: 2_2_00D6070F 2_2_00D6070F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: 2_2_00D6189C 2_2_00D6189C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: 2_2_00D51A79 2_2_00D51A79
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: 2_2_00D60C65 2_2_00D60C65
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: 2_2_00D50DF0 2_2_00D50DF0
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00FE40F6 11_2_00FE40F6
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00FA421B 11_2_00FA421B
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_0100A9CA 11_2_0100A9CA
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00FE4A45 11_2_00FE4A45
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00FE2E85 11_2_00FE2E85
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00F972BF 11_2_00F972BF
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_0106353C 11_2_0106353C
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_01071C17 11_2_01071C17
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: String function: 00D2A9C9 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: String function: 00D531F0 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: String function: 00D2AD06 appears 73 times
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: String function: 00D4F37D appears 104 times
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: String function: 00D6291B appears 32 times
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: String function: 00D4F3F0 appears 148 times
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: String function: 00D2EDD0 appears 34 times
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: String function: 00F72A87 appears 35 times
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: String function: 01062E02 appears 501 times
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: String function: 01062F10 appears 38 times
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: String function: 00F7E75E appears 42 times
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: String function: 00F66A20 appears 44 times
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: String function: 01062E6B appears 164 times
PE file contains executable resources (Code or Archives)
Source: StretchInstall.exe Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 2821436 bytes, 2 files, at 0x2c +A "StretchWare.msi" +A "setup.exe", ID 2436, number 1, 100 datablocks, 0x1503 compression
Source: StchCtrl.exe.4.dr Static PE information: Resource name: DLL type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: Stretch.exe.4.dr Static PE information: Resource name: DLL type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Sample file is different than original file name gathered from version info
Source: StretchInstall.exe Binary or memory string: OriginalFilenameWEXTRACT.EXE j% vs StretchInstall.exe
Uses 32bit PE files
Source: StretchInstall.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: sus24.spyw.evad.winEXE@8/29@0/0
Source: C:\Users\user\Desktop\StretchInstall.exe Code function: 0_2_0100456A lstrcpyA,GetCurrentDirectoryA,SetCurrentDirectoryA,SetCurrentDirectoryA,GetLastError,FormatMessageA,GetVolumeInformationA,GetLastError,FormatMessageA,SetCurrentDirectoryA,SetCurrentDirectoryA,lstrcpynA, 0_2_0100456A
Source: C:\Users\user\Desktop\StretchInstall.exe Code function: 0_2_010019C3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx, 0_2_010019C3
Source: C:\Users\user\Desktop\StretchInstall.exe Code function: 0_2_01006A45 GetDiskFreeSpaceA,SetCurrentDirectoryA,MulDiv, 0_2_01006A45
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: 2_2_00D43221 __EH_prolog3_catch_GS,GetCurrentProcessId,CreateToolhelp32Snapshot,__CxxThrowException@8,_memset,Process32FirstW,Process32NextW,Process32FirstW,Process32NextW,OpenProcess,GetExitCodeProcess,GetExitCodeProcess,Sleep,GetExitCodeProcess,CloseHandle,CreateFileW,CreateFileW,GetLastError,Sleep,CreateFileW,GetLastError,CloseHandle,CloseHandle, 2_2_00D43221
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00F85619 CoInitialize,CoCreateInstance, 11_2_00F85619
Source: C:\Users\user\Desktop\StretchInstall.exe Code function: 0_2_01004819 FindResourceA,LoadResource,DialogBoxIndirectParamA,FreeResource, 0_2_01004819
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Shelter Publications Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Microsoft\CMLD5D4.tmp Jump to behavior
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Mutant created: \Sessions\1\BaseNamedObjects\StretchWareCtrlClassSingleApplicationMutex
Source: C:\Users\user\Desktop\StretchInstall.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP Jump to behavior
Source: StretchInstall.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Source: StchCtrl.exe String found in binary or memory: -INSTALL
Source: unknown Process created: C:\Users\user\Desktop\StretchInstall.exe "C:\Users\user\Desktop\StretchInstall.exe"
Source: C:\Users\user\Desktop\StretchInstall.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\user\AppData\Local\Temp\IXP000.TMP\StretchWare.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: unknown Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Source: unknown Process created: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe "C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe"
Source: C:\Users\user\Desktop\StretchInstall.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\user\AppData\Local\Temp\IXP000.TMP\StretchWare.msi" Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Section loaded: feclient.dll Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Section loaded: advpack.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Section loaded: stretchhook.dll Jump to behavior
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Section loaded: stretchres.dll Jump to behavior
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Stretch.lnk.4.dr LNK file: ..\..\..\..\Installer\{1D2F2573-A76A-47DA-BB96-6860D17CC45B}\_24275761ADC5B212D44AB6.exe
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Next >
Source: Window Recorder Window detected: More than 3 window changes detected
Source: StretchInstall.exe Static file information: File size 2887680 > 1048576
Source: StretchInstall.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x2b6e00
Source: StretchInstall.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wextract.pdb source: StretchInstall.exe
Source: Binary string: setup.pdb source: setup.exe, setup.exe, 00000002.00000000.2092317947.0000000000D21000.00000020.00000001.01000000.00000005.sdmp, setup.exe, 00000002.00000002.3342575243.0000000000D21000.00000020.00000001.01000000.00000005.sdmp, setup.exe.0.dr
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\StretchInstall.exe Code function: 0_2_01006205 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 0_2_01006205
PE file contains an invalid checksum
Source: setup.exe.0.dr Static PE information: real checksum: 0x65cd5 should be: 0x75d16
PE file contains sections with non-standard names
Source: StretchHook.dll.4.dr Static PE information: section name: .shared
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: 2_2_00D53235 push ecx; ret 2_2_00D53248
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: 2_2_00D4F469 push ecx; ret 2_2_00D4F47C
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00FEC1D2 push 3BFFFFFFh; iretd 11_2_00FEC1D7
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_01062F55 push ecx; ret 11_2_01062F68
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_01062EDA push ecx; ret 11_2_01062EED
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_6BCF2285 push ecx; ret 11_2_6BCF2298
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_73F725B5 push ecx; ret 11_2_73F725C8
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Shelter Publications\StretchWare\StretchRes.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Shelter Publications\StretchWare\Stretch.exe Jump to dropped file
Source: C:\Users\user\Desktop\StretchInstall.exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Shelter Publications\StretchWare\StretchHook.dll Jump to dropped file
Source: C:\Users\user\Desktop\StretchInstall.exe Code function: 0_2_010026E2 LocalFree,lstrcpyA,lstrcpyA,lstrcmpiA,lstrcmpiA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,wsprintfA,lstrcmpiA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,wsprintfA,LocalAlloc,GetFileAttributesA, 0_2_010026E2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe File created: C:\Users\user\AppData\Local\Temp\VSDAAAD.tmp\install.log Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StretchWare Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StretchWare\Stretch.lnk Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run StretchWare StchCtrl Jump to behavior
Source: C:\Windows\System32\msiexec.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run StretchWare StchCtrl Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00FD6205 GetParent,GetParent,IsIconic,GetParent, 11_2_00FD6205
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00FD0420 IsIconic,PostMessageA, 11_2_00FD0420
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00FCE541 IsWindow,GetFocus,IsChild,SendMessageA,IsChild,SendMessageA,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible, 11_2_00FCE541
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00F9AD43 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageA,UpdateWindow,SendMessageA,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow, 11_2_00F9AD43
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00FCEFD0 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics, 11_2_00FCEFD0
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00FCEFD0 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics, 11_2_00FCEFD0
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00FCEFD0 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics, 11_2_00FCEFD0
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00FCF2D0 IsWindowVisible,ScreenToClient,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect, 11_2_00FCF2D0
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00FCF85B IsWindow,IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,IsWindow,IsWindow,IsWindow,GetWindowRect,PtInRect,SendMessageA,PtInRect,SendMessageA,ScreenToClient,PtInRect,GetParent,SendMessageA,GetFocus,WindowFromPoint,SendMessageA,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageA, 11_2_00FCF85B
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00F6F9C7 IsWindowVisible,IsIconic, 11_2_00F6F9C7
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00F8FDC9 SetForegroundWindow,IsIconic, 11_2_00F8FDC9
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00F8FE6D IsIconic, 11_2_00F8FE6D
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00FAFE0D GetClientRect,IsRectEmpty,IsIconic,BeginDeferWindowPos,GetClientRect,IsRectEmpty,IsRectEmpty,EqualRect,GetWindowRect,GetParent,EndDeferWindowPos, 11_2_00FAFE0D
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00F865FF __EH_prolog3_GS,GetDeviceCaps,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,_memset,GetTextCharsetInfo,lstrcpyA,lstrcpyA,EnumFontFamiliesA,EnumFontFamiliesA,lstrcpyA,EnumFontFamiliesA,lstrcpyA,CreateFontIndirectA,CreateFontIndirectA,CreateFontIndirectA,CreateFontIndirectA,CreateFontIndirectA,CreateFontIndirectA,GetSystemMetrics,lstrcpyA,CreateFontIndirectA,GetStockObject,GetStockObject,GetObjectA,GetObjectA,lstrcpyA,CreateFontIndirectA,CreateFontIndirectA,GetStockObject,GetObjectA,CreateFontIndirectA,CreateFontIndirectA,__EH_prolog3_GS,GetVersionExA,GetSystemMetrics,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 11_2_00F865FF
Source: C:\Users\user\Desktop\StretchInstall.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: 2_2_00D43221 __EH_prolog3_catch_GS,GetCurrentProcessId,CreateToolhelp32Snapshot,__CxxThrowException@8,_memset,Process32FirstW,Process32NextW,Process32FirstW,Process32NextW,OpenProcess,GetExitCodeProcess,GetExitCodeProcess,Sleep,GetExitCodeProcess,CloseHandle,CreateFileW,CreateFileW,GetLastError,Sleep,CreateFileW,GetLastError,CloseHandle,CloseHandle, 2_2_00D43221
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Shelter Publications\StretchWare\Stretch.exe Jump to dropped file
Found evaded block containing many API calls
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Evaded block: after key decision
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\StretchInstall.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe API coverage: 3.6 %
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Code function: 0_2_01002A96 FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_01002A96
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: 2_2_00D2DE9F __EH_prolog3_GS,FindFirstFileW,FindNextFileW,FindClose,FindClose, 2_2_00D2DE9F
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00F83089 GetModuleHandleA,GetProcAddress,FindFirstFileA, 11_2_00F83089
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00F83477 _strcpy_s,lstrlenA,SetLastError,FindFirstFileA,GetLastError,__fullpath,__splitpath_s,__makepath_s, 11_2_00F83477
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_00F7D99C __EH_prolog3_GS,GetFullPathNameA,__cftof,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,_strcpy_s, 11_2_00F7D99C
Source: C:\Users\user\Desktop\StretchInstall.exe Code function: 0_2_010052D4 lstrcpyA,lstrcpyA,GetSystemInfo,lstrcpyA,CreateDirectoryA,RemoveDirectoryA, 0_2_010052D4
Source: C:\Windows\System32\msiexec.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Installer\{1D2F2573-A76A-47DA-BB96-6860D17CC45B} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Installer Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: 2_2_00D55243 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00D55243
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: 2_2_00D43221 __EH_prolog3_catch_GS,GetCurrentProcessId,CreateToolhelp32Snapshot,__CxxThrowException@8,_memset,Process32FirstW,Process32NextW,Process32FirstW,Process32NextW,OpenProcess,GetExitCodeProcess,GetExitCodeProcess,Sleep,GetExitCodeProcess,CloseHandle,CreateFileW,CreateFileW,GetLastError,Sleep,CreateFileW,GetLastError,CloseHandle,CloseHandle, 2_2_00D43221
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_0106333A VirtualProtect ?,-00000001,00000104,? 11_2_0106333A
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\StretchInstall.exe Code function: 0_2_01006205 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 0_2_01006205
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: 2_2_00D66CAC __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 2_2_00D66CAC
Source: C:\Users\user\Desktop\StretchInstall.exe Code function: 0_2_010064DE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_010064DE
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: 2_2_00D55243 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00D55243
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: 2_2_00D4EF49 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00D4EF49
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_01060BBE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_01060BBE
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_01068E21 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_01068E21
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_6BCF3EF6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_6BCF3EF6
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_6BCF3719 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_6BCF3719
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_73F74226 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_73F74226
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_73F73A49 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_73F73A49
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: 2_2_00D2B0F4 _memset,ShellExecuteExW,GetLastError,WaitForSingleObject,CloseHandle, 2_2_00D2B0F4
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\user\AppData\Local\Temp\IXP000.TMP\StretchWare.msi" Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Code function: 0_2_01001760 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle, 0_2_01001760
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 2_2_00D5C081
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l, 2_2_00D60070
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen, 2_2_00D5C021
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: GetLocaleInfoA, 2_2_00D601AF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 2_2_00D5C257
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW, 2_2_00D563CD
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s, 2_2_00D5C3C9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 2_2_00D5C388
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 2_2_00D5C31C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free, 2_2_00D5B67C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free, 2_2_00D5B974
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement, 2_2_00D4FADD
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 2_2_00D5AA0C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea, 2_2_00D5DC25
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 2_2_00D5DD04
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_00D5BE6C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\setup.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 2_2_00D5BF75
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA, 11_2_00F7F6EB
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: __EH_prolog3_GS,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetNumberFormatA,GetLocaleInfoA,lstrlenA, 11_2_00FB5CD0
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\StretchInstall.exe Code function: 0_2_0100646B GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_0100646B
Source: C:\Program Files (x86)\Shelter Publications\StretchWare\StchCtrl.exe Code function: 11_2_01069115 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 11_2_01069115
Source: C:\Users\user\Desktop\StretchInstall.exe Code function: 0_2_0100488C GetVersionExA,MessageBeep,MessageBoxA, 0_2_0100488C
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1467084 Sample: StretchInstall.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 24 31 Contains functionality to register a low level keyboard hook 2->31 7 msiexec.exe 87 52 2->7         started        10 StchCtrl.exe 25 2->10         started        13 StretchInstall.exe 1 4 2->13         started        15 rundll32.exe 2->15         started        process3 file4 21 C:\Program Files (x86)\...\StretchHook.dll, PE32 7->21 dropped 23 C:\Program Files (x86)\...\StchCtrl.exe, PE32 7->23 dropped 25 C:\Program Files (x86)\...\StretchRes.dll, PE32 7->25 dropped 27 C:\Program Files (x86)\...\Stretch.exe, PE32 7->27 dropped 33 Installs a global keyboard hook 10->33 29 C:\Users\user\AppData\Local\...\setup.exe, PE32 13->29 dropped 17 setup.exe 4 13->17         started        signatures5 process6 process7 19 msiexec.exe 3 17->19         started       
No contacted IP infos