Windows Analysis Report
SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
Analysis ID: 1467853
MD5: 877d291ad79381cb54de729ac307b613
SHA1: f57f2b08e73a780ab677cb8a9e8b81e6a9081bd9
SHA256: f6037690187d1989a891542c29907786e4f4e4a406a0f8b0e3b3049dff4c1af4
Tags: exe
Infos:

Detection

Score: 32
Range: 0 - 100
Whitelisted: false
Confidence: 0%

Compliance

Score: 50
Range: 0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Avira: detected
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\IPCTools\IPCTools\PlayDiag.dll ReversingLabs: Detection: 37%
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe ReversingLabs: Detection: 47%
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Code function: 4_2_01006205 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 4_2_01006205
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: 11_2_00A87378 _memset,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,ReadFile,CryptHashData,ReadFile,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,GetLastError,CryptDestroyHash,CryptReleaseContext, 11_2_00A87378
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: 11_2_00A68101 CryptHashPublicKeyInfo,GetLastError, 11_2_00A68101
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: 11_2_00A68386 DecryptFileW, 11_2_00A68386
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: 11_2_00A67E2A _memset,CryptCATAdminCalcHashFromFileHandle,GetLastError,GetLastError,CryptCATAdminCalcHashFromFileHandle,GetLastError,WinVerifyTrust,WinVerifyTrust,WinVerifyTrust, 11_2_00A67E2A

Compliance
barindex
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Window detected: Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT VISUAL C++ 2005 RUNTIME LIBRARIESThese license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any Microsoft* updates* supplements* Internet-based services and * support servicesfor this software unless other terms accompany those items. If so those terms apply.By using the software you accept these terms. If you do not accept them do not use the software.If you comply with these license terms you have the rights below.1. INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2. SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not* disclose the results of any benchmark tests of the software to any third party without Microsofts prior written approval;* work around any technical limitations in the software;* reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;* make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;* publish the software for others to copy;* rent lease or lend the software;* transfer the software or this agreement to any third party; or* use the software for commercial software hosting services.3. BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4. DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5. EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.6. SUPPORT SERVICES. Because this software is as is we may not provide support services for it.7. ENTIRE AGREEMENT. This agreement and the terms for supplements updates Internet-based services and support services that you use are the entire agreement for the software and support services.8. APPLICABLE LAW.a. United States. If you acquired the software in the United States Washington state law governs the interpre
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Window detected: MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT VISUAL C++ REDISTRIBUTABLE FOR VISUAL STUDIO 2013 These license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any MicrosoftupdatessupplementsInternet-based services andsupport servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.IF YOU COMPLY WITH THESE LICENSE TERMS YOU HAVE THE PERPETUAL RIGHTS BELOW.1.INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2.SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may notdisclose the results of any benchmark tests of the software to any third party without Microsofts prior written approval;work around any technical limitations in the software;reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;publish the software for others to copy;rent lease or lend the software;transfer the software or this agreement to any third party; oruse the software for commercial software hosting services.3.BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4.DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5.EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.6.SUPPORT SERVICES. Because this software is as is we may not provide support services for it.7.ENTIRE AGREEMENT. This agreement and the terms for supplements updates Internet-based services and support services that you use are the entire agreement for the software and support services.8.APPLICABLE LAW.a.United States. If you acquired the software in the United States Washington state law governs the interpretation of this agreement and applies to claims for breach of it regardless of conflict of laws pri
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore SRInitDone Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe File created: C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\license.rtf
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Static PE information: certificate valid
Source: C:\Windows\System32\msiexec.exe File opened: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcr80.dll Jump to behavior
Source: Binary string: d:\jk_107\workspace\CBB_DH3.RD004352_PlaySDK_windows\code_path\HWDec__8a78b8\Bin\Win32\HWDec.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1801581634.00000000027C6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcm80.i386.pdb source: msvcm80.dll.9.dr
Source: Binary string: E:\WinRenderD3D11\Release\WinRender.pdbY source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1802654851.00000000027C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wextract.pdb source: vcredist_x86_vs2005_en.exe, vcredist_x86_vs2005_en.exe, 00000004.00000000.1885195627.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, vcredist_x86_vs2005_en.exe, 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\WixDepCA.pdb source: vcredist_x86_vs2013_en.exe, 0000000B.00000003.2218884543.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, vcredist_x86_vs2013_en.exe, 0000000B.00000003.2221638313.0000000000D54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\SourceSvn\PC_Client\MP4V3\Release\MP4V3.pdb% source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1841583023.0000000002B05000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\jk_107\workspace\CBB_DH3.RD004352_PlaySDK_windows\code_path\RenderEngine__8f3d5d\Bin\Win32\RenderEngine.pdbf source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1804750875.00000000027C0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vcomp120.i386.pdb0' source: vcomp120.dll.9.dr
Source: Binary string: d:\jk_107\workspace\CBB_DH3.RD004352_PlaySDK_windows\code_path\RenderEngine__8f3d5d\Bin\Win32\RenderEngine.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1804750875.00000000027C0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp100.i386.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.00000000027C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcr100.i386.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\SvnSpace\Client\PC_Client\Window_Header_dll_lib\dll\AjPlayer.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1796289372.00000000027C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\work\svn\client\PC_Client\AJTOOLS\run\RemoteConfig.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1833633290.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, RemoteConfig.dll.0.dr
Source: Binary string: vcomp120.i386.pdb source: vcomp120.dll.9.dr
Source: Binary string: D:\SvnSpace\Client\PC_Client\Window_Header_dll_lib\dll\AjRtspClientLib.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1823145898.00000000027CB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\SourceSvn\PC_Client\MP4V3\Release\MP4V3.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1841583023.0000000002B05000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\WixStdBA.pdbH source: vcredist_x86_vs2013_en.exe, 0000000C.00000002.2926774939.000000006F8B5000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb source: vcredist_x86_vs2013_en.exe, 0000000B.00000000.1991637937.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp, vcredist_x86_vs2013_en.exe, 0000000B.00000003.2218361520.0000000000D04000.00000004.00000020.00020000.00000000.sdmp, vcredist_x86_vs2013_en.exe, 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp, vcredist_x86_vs2013_en.exe, 0000000C.00000002.2924261560.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp, vcredist_x86_vs2013_en.exe, 0000000C.00000000.1993010547.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: d:\jk_win7\workspace\CBB_DH3.RD002483_PlaySDK_windows\code_path\Lib\Win32\vs2005shared\dhplay.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1800379255.00000000027C8000.00000004.00000020.00020000.00000000.sdmp, dhplay.dll.0.dr
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb@E source: vcredist_x86_vs2013_en.exe, 0000000B.00000003.2218361520.0000000000D04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\SvnSpace\Client\PC_Client\Window_Header_dll_lib\dll\AjRtspClientLib.pdbS source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1823145898.00000000027CB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\jk_107\workspace\CBB_DH3.RD004352_PlaySDK_windows\code_path\PlayDiag__51c853\Bin\Win32\PlayDiag.pdb$ source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1803377811.00000000027C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\jk_107\workspace\CBB_DH3.RD004352_PlaySDK_windows\code_path\HWDec__8a78b8\Bin\Win32\HWDec.pdb1 source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1801581634.00000000027C6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msdia80.pdb source: msdia80.dll.9.dr
Source: Binary string: MFCM80.i386.pdb source: mfcm80.dll.9.dr
Source: Binary string: D:\SvnSpace\Client\PC_Client\Window_Header_dll_lib\dll\AjNetSdkDll.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1822168495.00000000027CA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\WinRenderD3D11\Release\WinRender.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1802654851.00000000027C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\SvnSpace\Client\PC_Client\Window_Header_dll_lib\dll\AjPlayer.pdb" source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1796289372.00000000027C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\WixStdBA.pdb source: vcredist_x86_vs2013_en.exe, 0000000C.00000002.2926774939.000000006F8B5000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: d:\jk_107\workspace\CBB_DH3.RD004352_PlaySDK_windows\code_path\PlayDiag__51c853\Bin\Win32\PlayDiag.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1803377811.00000000027C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb@ source: vcredist_x86_vs2013_en.exe, 0000000B.00000000.1991637937.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp, vcredist_x86_vs2013_en.exe, 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp, vcredist_x86_vs2013_en.exe, 0000000C.00000002.2924261560.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp, vcredist_x86_vs2013_en.exe, 0000000C.00000000.1993010547.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: D:\work\svn\client\PC_Client\AJTOOLS\run\AjDevTools.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1792969669.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, IPCTools.exe.0.dr
Source: Binary string: d:\jk_107\workspace\CBB_DH3.RD004352_PlaySDK_package\code_path\Main\Lib\Win32\vs2005shared\play.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1819295504.00000000028CA000.00000004.00000020.00020000.00000000.sdmp
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Code function: 0_2_00405B6C FindFirstFileW,FindClose, 0_2_00405B6C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Code function: 0_2_0040652D DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_0040652D
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Code function: 4_2_01002A96 FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 4_2_01002A96
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: 11_2_00A68BE8 _memset,FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 11_2_00A68BE8
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: 11_2_00A866A3 _memset,_memset,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,GetLastError,GetLastError,GetLastError,FindClose, 11_2_00A866A3
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: 11_2_00A85710 _memset,FindFirstFileW,FindClose, 11_2_00A85710
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: 12_2_6F8AA685 _memset,FindFirstFileW,FindClose, 12_2_6F8AA685
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\NULL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\vcRuntimeAdditional_amd64 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe File opened: C:\ProgramData\Package Cache\NULL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\NULL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: 11_2_00A76994 InternetReadFile,WriteFile,WriteFile,GetLastError,GetLastError, 11_2_00A76994
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1837159501.00000000027C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://%s/http://%s:%d//:HTTP:http:login.html?idChangeStream%d:%d-%d:%dselectedIndexevaltry
Source: dhplay.dll.0.dr String found in binary or memory: http://10.6.5.2/svnpl/CODEC/PC/ADPCM/Trunk
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1800379255.00000000027C8000.00000004.00000020.00020000.00000000.sdmp, dhplay.dll.0.dr String found in binary or memory: http://10.6.5.2/svnpl/CODEC/PC/Audio_Codec/Audio_Mpeg2l2_Dec/Trunk
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1800379255.00000000027C8000.00000004.00000020.00020000.00000000.sdmp, dhplay.dll.0.dr String found in binary or memory: http://10.6.5.2/svnpl/CODEC/PC/Audio_Codec/Audio_Mpeg2l2_Dec/Trunkmalloc
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1819295504.0000000002AC3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1800379255.00000000027C8000.00000004.00000020.00020000.00000000.sdmp, dhplay.dll.0.dr String found in binary or memory: http://10.6.5.2/svnpl/CODEC/PC/DEC_H26L/Trunk/H26L_Decoder_PC
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1819295504.0000000002AC3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1800379255.00000000027C8000.00000004.00000020.00020000.00000000.sdmp, dhplay.dll.0.dr String found in binary or memory: http://10.6.5.2/svnpl/CODEC/PC/DEC_H26L/Trunk/H26L_Decoder_PCInput
Source: vcredist_x86_vs2013_en.exe, 0000000B.00000002.2923502909.0000000000CE2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0X
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1792969669.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, IPCTools.exe.0.dr String found in binary or memory: http://lame.sf.net
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1792969669.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, IPCTools.exe.0.dr String found in binary or memory: http://lame.sf.net1.0LAME3.99rLAME3.99r53.99.5
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://s2.symcb.com0
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sf.symcd.com0&
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sv.symcd.com0&
Source: vcredist_x86_vs2013_en.exe, 0000000C.00000002.2922751862.00000000005C0000.00000004.00000020.00020000.00000000.sdmp, vcredist_x86_vs2013_en.exe, 0000000C.00000003.1994068009.000000000065D000.00000004.00000020.00020000.00000000.sdmp, vcredist_x86_vs2013_en.exe, 0000000C.00000002.2925469599.00000000029D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: dhplay.dll.0.dr String found in binary or memory: http://www.audiocoding.com/)
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000002.2924137747.00000000006F3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1668617871.00000000027D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.icamra.com/
Source: vcredist_x86_vs2013_en.exe, 0000000B.00000002.2923502909.0000000000CE2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/cps0(
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/rpa00
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.globalsign.com/repository/0
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.globalsign.com/repository/03
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.0000000002827000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.globalsign.com/repository/06
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Code function: 0_2_00404B88 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404B88
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Code function: 0_2_10001A21 GetDlgCtrlID,OpenClipboard,GetClipboardData,GlobalLock,lstrlenW,SendMessageW,GlobalUnlock,CloseClipboard,CallWindowProcW, 0_2_10001A21
Creates a DirectInput object (often for capturing keystrokes)
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1804750875.00000000027C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DirectDrawCreateEx memstr_d4f6a812-6
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Code function: 0_2_004033E9 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx, 0_2_004033E9
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Code function: 4_2_01002251 ExitWindowsEx, 4_2_01002251
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Code function: 4_2_010019C3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx, 4_2_010019C3
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\6d20d4.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{710f4c1c-cc18-4c49-8cbf-51240c89a1a2} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2354.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2CEA.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926823.0 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926823.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_a4c618fa.manifest Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926823.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_a4c618fa.cat Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926823.0\ATL80.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926855.0 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86.manifest Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86.cat Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcr80.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcp80.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcm80.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926964.0 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b.manifest Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b.cat Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfcm80.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfc80u.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfc80.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfcm80u.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789.manifest Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789.cat Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80CHS.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80CHT.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80ESP.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80ENU.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80DEU.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80FRA.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80ITA.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80JPN.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80KOR.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927261.0 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927261.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_452bf920.manifest Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927261.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_452bf920.cat Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927261.0\vcomp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927276.0 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927276.0\8.0.50727.6195.policy Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927276.0\8.0.50727.6195.cat Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927292.0 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927292.0\8.0.50727.6195.policy Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927292.0\8.0.50727.6195.cat Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927308.0 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927308.0\8.0.50727.6195.policy Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927308.0\8.0.50727.6195.cat Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927308.1 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927308.1\8.0.50727.6195.policy Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927308.1\8.0.50727.6195.cat Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927323.0 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927323.0\8.0.50727.6195.policy Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927323.0\8.0.50727.6195.cat Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\6d20d7.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\6d20d7.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\6d20d8.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI9838.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\vcamp120.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\vcomp120.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\6d20db.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\6d20db.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\6d20dc.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI9EB1.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc120chs.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc120cht.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc120deu.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc120enu.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc120esn.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc120fra.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc120ita.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc120jpn.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc120kor.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc120rus.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\6d20df.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\6d20df.msi Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI2354.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Code function: 0_2_00406947 0_2_00406947
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Code function: 0_2_00404451 0_2_00404451
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Code function: 4_2_01008D30 4_2_01008D30
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Code function: 4_2_01009548 4_2_01009548
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Code function: 4_2_01009982 4_2_01009982
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Code function: 4_2_010086B0 4_2_010086B0
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Code function: 4_2_010089C7 4_2_010089C7
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Code function: 4_2_010090EF 4_2_010090EF
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: String function: 6F8AAFD3 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: String function: 00A8177A appears 60 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: String function: 00A7FA86 appears 653 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: String function: 00A7F6A2 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: String function: 00A8294E appears 460 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: String function: 6F8A10E3 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: String function: 00A8540B appears 73 times
PE file contains executable resources (Code or Archives)
Source: WEBConfig.dll.0.dr Static PE information: Resource name: None type: DOS executable (COM, 0x8C-variant)
Source: vcredist_x86_vs2005_en.exe.0.dr Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 2629972 bytes, 2 files, at 0x2c +A "vcredis1.cab" +A "vcredist.msi", ID 2384, number 1, 93 datablocks, 0x1503 compression
PE file does not import any functions
Source: mfc80ITA.dll.9.dr Static PE information: No import functions for PE file found
Source: mfc80JPN.dll.9.dr Static PE information: No import functions for PE file found
Source: mfc80CHT.dll.9.dr Static PE information: No import functions for PE file found
Source: mfc120kor.dll.9.dr Static PE information: No import functions for PE file found
Source: mfc80DEU.dll.9.dr Static PE information: No import functions for PE file found
Source: mfc120enu.dll.9.dr Static PE information: No import functions for PE file found
Source: mfc120esn.dll.9.dr Static PE information: No import functions for PE file found
Source: mfc120fra.dll.9.dr Static PE information: No import functions for PE file found
Source: mfc120ita.dll.9.dr Static PE information: No import functions for PE file found
Source: mfc80ESP.dll.9.dr Static PE information: No import functions for PE file found
Source: mfc80CHS.dll.9.dr Static PE information: No import functions for PE file found
Source: mfc80FRA.dll.9.dr Static PE information: No import functions for PE file found
Source: mfc80ENU.dll.9.dr Static PE information: No import functions for PE file found
Source: mfc120rus.dll.9.dr Static PE information: No import functions for PE file found
Source: mfc80KOR.dll.9.dr Static PE information: No import functions for PE file found
Source: mfc120cht.dll.9.dr Static PE information: No import functions for PE file found
Source: mfc120deu.dll.9.dr Static PE information: No import functions for PE file found
Source: mfc120jpn.dll.9.dr Static PE information: No import functions for PE file found
Source: mfc120chs.dll.9.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1856812722.00000000027CB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename7z.exe, vs SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1833633290.00000000027C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUCRemoteConfig.dll4 vs SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1819295504.00000000028CA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsvcr100_clr0400.dll^ vs SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1801581634.0000000002827000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameHWDec.dll< vs SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1855542496.00000000027CB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename7z.dll, vs SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1804750875.00000000027C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRenderEngine.dll: vs SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1802654851.00000000027C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWinRender.dll: vs SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1841583023.00000000027C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WM/OriginalFilename vs SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1841583023.00000000027C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %sWM/AlbumArtistalbum_artistWM/AlbumTitlealbumAuthorartistDescriptioncommentWM/ComposercomposerWM/EncodedByencoded_byWM/EncodingSettingsencoderWM/GenregenreWM/LanguagelanguageWM/OriginalFilenamefilenameWM/PartOfSetdiscWM/PublisherpublisherWM/ToolWM/TrackNumbertrackWM/MediaStationCallSignservice_providerWM/MediaStationNameservice_name vs SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.00000000027C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsvcp100.dll^ vs SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000002.2922790957.000000000041E000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L"OriginalFilenamevcredist_x86.exe vs SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1800379255.0000000002D52000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1837159501.0000000002A3A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWEBConfig.dll4 vs SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: mfc120kor.dll.9.dr Static PE information: Section .rsrc
Source: mfc120enu.dll.9.dr Static PE information: Section .rsrc
Source: mfc120esn.dll.9.dr Static PE information: Section .rsrc
Source: mfc120fra.dll.9.dr Static PE information: Section .rsrc
Source: mfc120ita.dll.9.dr Static PE information: Section .rsrc
Source: mfc120rus.dll.9.dr Static PE information: Section .rsrc
Source: mfc120cht.dll.9.dr Static PE information: Section .rsrc
Source: mfc120deu.dll.9.dr Static PE information: Section .rsrc
Source: mfc120jpn.dll.9.dr Static PE information: Section .rsrc
Source: mfc120chs.dll.9.dr Static PE information: Section .rsrc
Source: classification engine Classification label: sus32.evad.winEXE@19/183@0/0
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Code function: 4_2_0100456A lstrcpyA,GetCurrentDirectoryA,SetCurrentDirectoryA,SetCurrentDirectoryA,GetLastError,FormatMessageA,GetVolumeInformationA,GetLastError,FormatMessageA,SetCurrentDirectoryA,SetCurrentDirectoryA,lstrcpynA, 4_2_0100456A
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Code function: 4_2_010019C3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx, 4_2_010019C3
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: 11_2_00A513BA GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle, 11_2_00A513BA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Code function: 0_2_00403FDF GetDlgItem,SetWindowTextW,SHAutoComplete,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00403FDF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Code function: 0_2_00402218 CoCreateInstance, 0_2_00402218
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Code function: 4_2_01004819 FindResourceA,LoadResource,DialogBoxIndirectParamA,FreeResource, 4_2_01004819
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: 11_2_00A6E774 ChangeServiceConfigW,GetLastError, 11_2_00A6E774
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File created: C:\Program Files (x86)\IPCTools Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File created: C:\Users\Public\Desktop\IPCTools.lnk Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7072:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6092:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File created: C:\Users\user\AppData\Local\Temp\nsjBE03.tmp Jump to behavior
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: vcredist_x86_vs2013_en.exe, 0000000B.00000003.2218884543.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, vcredist_x86_vs2013_en.exe, 0000000B.00000003.2221638313.0000000000D54000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT `WixDependency`.`WixDependency`, `WixDependencyProvider`.`Component_`, `WixDependency`.`ProviderKey`, `WixDependency`.`MinVersion`, `WixDependency`.`MaxVersion`, `WixDependency`.`Attributes` FROM `WixDependencyProvider`, `WixDependency`, `WixDependencyRef` WHERE `WixDependency`.`WixDependency` = `WixDependencyRef`.`WixDependency_` AND `WixDependencyProvider`.`WixDependencyProvider` = `WixDependencyRef`.`WixDependencyProvider_`SELECT `WixDependencyProvider`.`WixDependencyProvider`, `WixDependencyProvider`.`Component_`, `WixDependencyProvider`.`ProviderKey`, `WixDependencyProvider`.`Attributes` FROM `WixDependencyProvider`Failed to ignored dependency "%ls" to the string dictionary.;Failed to create the string dictionary.Failed to get the string value of the IGNOREDEPENDENCIES property.IGNOREDEPENDENCIESUnknownFailed to set the dependency name "%ls" into the message record.Failed to set the dependency key "%ls" into the message record.The dependency "%ls" is missing or is not the required version.Found dependent "%ls", name: "%ls".Failed to set the number of dependencies into the message record.Failed to set the message identifier into the message record.Not enough memory to create the message record.wixdepca.cppUnexpected message response %d from user or bootstrapper application.Failed to create the dependency record for message %d.Failed to enumerate all of the rows in the dependency query view.Failed to get WixDependency.Attributes.Failed to get WixDependency.MaxVersion.Failed to get WixDependency.MinVersion.Failed to get WixDependency.ProviderKey.Failed to get WixDependencyProvider.Component_.Failed to get WixDependency.WixDependency.Failed dependency check for %ls.Skipping dependency check for %ls because the component %ls is not being (re)installed.Failed to open the query view for dependencies.Failed to initialize the unique dependency string list.Failed to check if the WixDependency table exists.Skipping the dependency check since no dependencies are authored.WixDependencyFailed to enumerate all of the rows in the dependency provider query view.Failed to get WixDependencyProvider.Attributes.Failed to get WixDependencyProvider.ProviderKey.Failed to get WixDependencyProvider.Component.Failed to get WixDependencyProvider.WixDependencyProvider.Failed dependents check for %ls.Skipping dependents check for %ls because the component %ls is not being uninstalled.Failed to open the query view for dependency providers.Failed to check if the WixDependencyProvider table exists.Skipping the dependents check since no dependency providers are authored.WixDependencyProviderSkipping the dependencies check since IGNOREDEPENDENCIES contains "ALL".Failed to check if "ALL" was set in IGNOREDEPENDENCIES.ALLFailed to get the ignored dependents.Failed to ensure required dependencies for (re)installing components.ALLUSERSFailed to initialize the registry functions.Failed to initialize.WixDependencyRequireFailed to ensure absent dependents for uninstalling com
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe ReversingLabs: Detection: 47%
Source: vcredist_x86_vs2013_en.exe String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /F /IM IPCTools.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Process created: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Process created: C:\Windows\SysWOW64\msiexec.exe msiexec /i vcredist.msi
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8341741E8479EC6D551F124E2FB1671E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Process created: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Process created: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe "C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe" -burn.unelevated BurnPipe.{A826652D-AFD8-40B6-84B0-7105BE434658} {ED4ADFC9-BDFE-4680-B562-A7A4CCF98333} 6952
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown Process created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
Source: C:\Windows\System32\SrTasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /F /IM IPCTools.exe /T Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Process created: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Process created: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Process created: C:\Windows\SysWOW64\msiexec.exe msiexec /i vcredist.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8341741E8479EC6D551F124E2FB1671E Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Process created: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe "C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe" -burn.unelevated BurnPipe.{A826652D-AFD8-40B6-84B0-7105BE434658} {ED4ADFC9-BDFE-4680-B562-A7A4CCF98333} 6952 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Section loaded: feclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Section loaded: advpack.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: spp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: usoapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: sxproxy.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: msxml3.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: feclient.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Section loaded: textshaping.dll
Source: C:\Windows\System32\SrTasks.exe Section loaded: spp.dll
Source: C:\Windows\System32\SrTasks.exe Section loaded: srclient.dll
Source: C:\Windows\System32\SrTasks.exe Section loaded: srcore.dll
Source: C:\Windows\System32\SrTasks.exe Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\SrTasks.exe Section loaded: ktmw32.dll
Source: C:\Windows\System32\SrTasks.exe Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe Section loaded: wer.dll
Source: C:\Windows\System32\SrTasks.exe Section loaded: bcd.dll
Source: C:\Windows\System32\SrTasks.exe Section loaded: vsstrace.dll
Source: C:\Windows\System32\SrTasks.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\SrTasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\SrTasks.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\SrTasks.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\SrTasks.exe Section loaded: msxml3.dll
Source: C:\Windows\System32\SrTasks.exe Section loaded: vss_ps.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: IPCTools.lnk.0.dr LNK file: ..\..\..\Program Files (x86)\IPCTools\IPCTools\IPCTools.exe
Source: IPCTools.lnk0.0.dr LNK file: ..\..\..\..\..\..\..\Program Files (x86)\IPCTools\IPCTools\IPCTools.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File written: C:\Users\user\AppData\Local\Temp\nsoBE71.tmp\ioSpecial.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Automated click: OK
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Automated click: Next >
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Automated click: I agree to the license terms and conditions
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Automated click: Install
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Window detected: Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT VISUAL C++ 2005 RUNTIME LIBRARIESThese license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any Microsoft* updates* supplements* Internet-based services and * support servicesfor this software unless other terms accompany those items. If so those terms apply.By using the software you accept these terms. If you do not accept them do not use the software.If you comply with these license terms you have the rights below.1. INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2. SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not* disclose the results of any benchmark tests of the software to any third party without Microsofts prior written approval;* work around any technical limitations in the software;* reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;* make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;* publish the software for others to copy;* rent lease or lend the software;* transfer the software or this agreement to any third party; or* use the software for commercial software hosting services.3. BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4. DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5. EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.6. SUPPORT SERVICES. Because this software is as is we may not provide support services for it.7. ENTIRE AGREEMENT. This agreement and the terms for supplements updates Internet-based services and support services that you use are the entire agreement for the software and support services.8. APPLICABLE LAW.a. United States. If you acquired the software in the United States Washington state law governs the interpre
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Window detected: MICROSOFT SOFTWARE LICENSE TERMSMICROSOFT VISUAL C++ REDISTRIBUTABLE FOR VISUAL STUDIO 2013 These license terms are an agreement between Microsoft Corporation (or based on where you live one of its affiliates) and you. Please read them. They apply to the software named above which includes the media on which you received it if any. The terms also apply to any MicrosoftupdatessupplementsInternet-based services andsupport servicesfor this software unless other terms accompany those items. If so those terms apply.BY USING THE SOFTWARE YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM DO NOT USE THE SOFTWARE.IF YOU COMPLY WITH THESE LICENSE TERMS YOU HAVE THE PERPETUAL RIGHTS BELOW.1.INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices.2.SCOPE OF LICENSE. The software is licensed not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation you may use the software only as expressly permitted in this agreement. In doing so you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may notdisclose the results of any benchmark tests of the software to any third party without Microsofts prior written approval;work around any technical limitations in the software;reverse engineer decompile or disassemble the software except and only to the extent that applicable law expressly permits despite this limitation;make more copies of the software than specified in this agreement or allowed by applicable law despite this limitation;publish the software for others to copy;rent lease or lend the software;transfer the software or this agreement to any third party; oruse the software for commercial software hosting services.3.BACKUP COPY. You may make one backup copy of the software. You may use it only to reinstall the software.4.DOCUMENTATION. Any person that has valid access to your computer or internal network may copy and use the documentation for your internal reference purposes.5.EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations end users and end use. For additional information see www.microsoft.com/exporting.6.SUPPORT SERVICES. Because this software is as is we may not provide support services for it.7.ENTIRE AGREEMENT. This agreement and the terms for supplements updates Internet-based services and support services that you use are the entire agreement for the software and support services.8.APPLICABLE LAW.a.United States. If you acquired the software in the United States Washington state law governs the interpretation of this agreement and applies to claims for breach of it regardless of conflict of laws pri
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Window detected: Number of UI elements: 19
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Static PE information: certificate valid
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Static file information: File size 22881736 > 1048576
Source: C:\Windows\System32\msiexec.exe File opened: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcr80.dll Jump to behavior
Source: Binary string: d:\jk_107\workspace\CBB_DH3.RD004352_PlaySDK_windows\code_path\HWDec__8a78b8\Bin\Win32\HWDec.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1801581634.00000000027C6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcm80.i386.pdb source: msvcm80.dll.9.dr
Source: Binary string: E:\WinRenderD3D11\Release\WinRender.pdbY source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1802654851.00000000027C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wextract.pdb source: vcredist_x86_vs2005_en.exe, vcredist_x86_vs2005_en.exe, 00000004.00000000.1885195627.0000000001001000.00000020.00000001.01000000.0000000A.sdmp, vcredist_x86_vs2005_en.exe, 00000004.00000002.1981305756.0000000001001000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\WixDepCA.pdb source: vcredist_x86_vs2013_en.exe, 0000000B.00000003.2218884543.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, vcredist_x86_vs2013_en.exe, 0000000B.00000003.2221638313.0000000000D54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\SourceSvn\PC_Client\MP4V3\Release\MP4V3.pdb% source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1841583023.0000000002B05000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\jk_107\workspace\CBB_DH3.RD004352_PlaySDK_windows\code_path\RenderEngine__8f3d5d\Bin\Win32\RenderEngine.pdbf source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1804750875.00000000027C0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vcomp120.i386.pdb0' source: vcomp120.dll.9.dr
Source: Binary string: d:\jk_107\workspace\CBB_DH3.RD004352_PlaySDK_windows\code_path\RenderEngine__8f3d5d\Bin\Win32\RenderEngine.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1804750875.00000000027C0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcp100.i386.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1858040950.00000000027C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcr100.i386.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1859722231.00000000027C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\SvnSpace\Client\PC_Client\Window_Header_dll_lib\dll\AjPlayer.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1796289372.00000000027C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\work\svn\client\PC_Client\AJTOOLS\run\RemoteConfig.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1833633290.00000000027C2000.00000004.00000020.00020000.00000000.sdmp, RemoteConfig.dll.0.dr
Source: Binary string: vcomp120.i386.pdb source: vcomp120.dll.9.dr
Source: Binary string: D:\SvnSpace\Client\PC_Client\Window_Header_dll_lib\dll\AjRtspClientLib.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1823145898.00000000027CB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\SourceSvn\PC_Client\MP4V3\Release\MP4V3.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1841583023.0000000002B05000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\WixStdBA.pdbH source: vcredist_x86_vs2013_en.exe, 0000000C.00000002.2926774939.000000006F8B5000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb source: vcredist_x86_vs2013_en.exe, 0000000B.00000000.1991637937.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp, vcredist_x86_vs2013_en.exe, 0000000B.00000003.2218361520.0000000000D04000.00000004.00000020.00020000.00000000.sdmp, vcredist_x86_vs2013_en.exe, 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp, vcredist_x86_vs2013_en.exe, 0000000C.00000002.2924261560.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp, vcredist_x86_vs2013_en.exe, 0000000C.00000000.1993010547.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: d:\jk_win7\workspace\CBB_DH3.RD002483_PlaySDK_windows\code_path\Lib\Win32\vs2005shared\dhplay.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1800379255.00000000027C8000.00000004.00000020.00020000.00000000.sdmp, dhplay.dll.0.dr
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb@E source: vcredist_x86_vs2013_en.exe, 0000000B.00000003.2218361520.0000000000D04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\SvnSpace\Client\PC_Client\Window_Header_dll_lib\dll\AjRtspClientLib.pdbS source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1823145898.00000000027CB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\jk_107\workspace\CBB_DH3.RD004352_PlaySDK_windows\code_path\PlayDiag__51c853\Bin\Win32\PlayDiag.pdb$ source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1803377811.00000000027C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\jk_107\workspace\CBB_DH3.RD004352_PlaySDK_windows\code_path\HWDec__8a78b8\Bin\Win32\HWDec.pdb1 source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1801581634.00000000027C6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msdia80.pdb source: msdia80.dll.9.dr
Source: Binary string: MFCM80.i386.pdb source: mfcm80.dll.9.dr
Source: Binary string: D:\SvnSpace\Client\PC_Client\Window_Header_dll_lib\dll\AjNetSdkDll.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1822168495.00000000027CA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\WinRenderD3D11\Release\WinRender.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1802654851.00000000027C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\SvnSpace\Client\PC_Client\Window_Header_dll_lib\dll\AjPlayer.pdb" source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1796289372.00000000027C2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\WixStdBA.pdb source: vcredist_x86_vs2013_en.exe, 0000000C.00000002.2926774939.000000006F8B5000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: d:\jk_107\workspace\CBB_DH3.RD004352_PlaySDK_windows\code_path\PlayDiag__51c853\Bin\Win32\PlayDiag.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1803377811.00000000027C4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb@ source: vcredist_x86_vs2013_en.exe, 0000000B.00000000.1991637937.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp, vcredist_x86_vs2013_en.exe, 0000000B.00000002.2922969338.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp, vcredist_x86_vs2013_en.exe, 0000000C.00000002.2924261560.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp, vcredist_x86_vs2013_en.exe, 0000000C.00000000.1993010547.0000000000A8A000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: D:\work\svn\client\PC_Client\AJTOOLS\run\AjDevTools.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1792969669.00000000027C7000.00000004.00000020.00020000.00000000.sdmp, IPCTools.exe.0.dr
Source: Binary string: d:\jk_107\workspace\CBB_DH3.RD004352_PlaySDK_package\code_path\Main\Lib\Win32\vs2005shared\play.pdb source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1819295504.00000000028CA000.00000004.00000020.00020000.00000000.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Code function: 0_2_00405B93 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405B93
PE file contains sections with non-standard names
Source: play.dll.0.dr Static PE information: section name: .rodata
Source: vcredist_x86_vs2013_en.exe.0.dr Static PE information: section name: .wixburn
Source: dhplay.dll.0.dr Static PE information: section name: .rodata
Source: dhplay.dll.0.dr Static PE information: section name: .rodata
Source: dhplay.dll.0.dr Static PE information: section name: .ctors
Source: dhplay.dll.0.dr Static PE information: section name: .dtors
Source: MP4V3.dll.0.dr Static PE information: section name: .text.un
Source: MP4V3.dll.0.dr Static PE information: section name: .eh_fram
Source: MP4V3.dll.0.dr Static PE information: section name: .drectve
Source: 7z.dll.0.dr Static PE information: section name: .sxdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: 11_2_00A79B85 push ecx; ret 11_2_00A79B98
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: 12_2_6F8AC354 pushad ; ret 12_2_6F8AC355
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: 12_2_6F8AEE85 push ecx; ret 12_2_6F8AEE98
Source: msvcr100.dll.0.dr Static PE information: section name: .text entropy: 6.90903234258047
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc120chs.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc120deu.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File created: C:\Program Files (x86)\IPCTools\IPCTools\HWDec.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80FRA.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc120ita.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc120cht.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfc80u.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File created: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe File created: C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\wixstdba.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File created: C:\Program Files (x86)\IPCTools\IPCTools\IPCTools.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfcm80u.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File created: C:\Program Files (x86)\IPCTools\IPCTools\RenderEngine.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80ITA.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File created: C:\Program Files (x86)\IPCTools\IPCTools\RemoteConfig.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80CHS.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File created: C:\Program Files (x86)\IPCTools\IPCTools\msvcr100.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80DEU.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File created: C:\Program Files (x86)\IPCTools\IPCTools\7z.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc120fra.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80KOR.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\vcamp120.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926823.0\ATL80.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc120esn.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcr80.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80ENU.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfcm80.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File created: C:\Program Files (x86)\IPCTools\IPCTools\msvcp100.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File created: C:\Program Files (x86)\IPCTools\IPCTools\AjNetSdkDll.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File created: C:\Program Files (x86)\IPCTools\IPCTools\WEBConfig.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80JPN.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia80.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe File created: C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.be\vcredist_x86.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File created: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File created: C:\Users\user\AppData\Local\Temp\nsoBE71.tmp\InstallOptions.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc120rus.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927261.0\vcomp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe File created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File created: C:\Program Files (x86)\IPCTools\IPCTools\7z.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc120kor.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80ESP.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80CHT.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File created: C:\Program Files (x86)\IPCTools\IPCTools\PlayDiag.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfc80.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File created: C:\Program Files (x86)\IPCTools\IPCTools\MP4V3.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File created: C:\Program Files (x86)\IPCTools\IPCTools\AjRtspClientLib.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcm80.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2354.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File created: C:\Program Files (x86)\IPCTools\IPCTools\dhplay.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File created: C:\Users\user\AppData\Local\Temp\nsoBE71.tmp\LangDLL.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc120jpn.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File created: C:\Program Files (x86)\IPCTools\IPCTools\AjPlayer.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcp80.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\vcomp120.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File created: C:\Program Files (x86)\IPCTools\IPCTools\play.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc120enu.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File created: C:\Program Files (x86)\IPCTools\IPCTools\WinRender.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe File created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc120chs.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc120deu.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80FRA.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc120ita.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc120cht.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfc80u.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc120rus.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927261.0\vcomp.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfcm80u.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc120kor.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80ESP.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80CHT.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80ITA.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfc80.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80CHS.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2354.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcm80.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80DEU.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc120fra.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80KOR.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926823.0\ATL80.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\vcamp120.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc120jpn.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcp80.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc120esn.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcr80.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80ENU.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\vcomp120.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfcm80.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\SysWOW64\mfc120enu.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80JPN.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Code function: 0_2_10001E00 wsprintfW,lstrcpyW,GetPrivateProfileStringW,lstrcpyW,CharNextW, 0_2_10001E00
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Code function: 4_2_010026E2 LocalFree,lstrcpyA,lstrcpyA,lstrcmpiA,lstrcmpiA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,wsprintfA,lstrcmpiA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,wsprintfA,LocalAlloc,GetFileAttributesA, 4_2_010026E2
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe File created: C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\license.rtf
Creates or modifies windows services
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore Jump to behavior
Modifies existing windows services
Source: C:\Windows\System32\SrTasks.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IPCTools Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IPCTools\IPCTools Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IPCTools\IPCTools\IPCTools.lnk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {f65db027-aff3-4070-886a-0d87064aabb1} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {f65db027-aff3-4070-886a-0d87064aabb1} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {f65db027-aff3-4070-886a-0d87064aabb1} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {f65db027-aff3-4070-886a-0d87064aabb1} Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc120chs.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc120deu.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Dropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\HWDec.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80FRA.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc120ita.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfc80u.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc120cht.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\wixstdba.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Dropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\IPCTools.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfcm80u.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Dropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\RenderEngine.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80ITA.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Dropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\RemoteConfig.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80CHS.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Dropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\msvcr100.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80DEU.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Dropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\7z.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc120fra.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80KOR.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162926823.0\ATL80.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\vcamp120.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc120esn.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80ENU.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcr80.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfcm80.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Dropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\msvcp100.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Dropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\WEBConfig.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Dropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\AjNetSdkDll.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80JPN.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia80.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.be\vcredist_x86.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsoBE71.tmp\InstallOptions.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc120rus.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162927261.0\vcomp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Dropped PE file which has not been started: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Dropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\7z.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc120kor.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80ESP.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162927136.0\mfc80CHT.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Dropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\PlayDiag.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162926964.0\mfc80.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Dropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\MP4V3.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Dropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\AjRtspClientLib.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI2354.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcm80.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Dropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\dhplay.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsoBE71.tmp\LangDLL.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc120jpn.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Dropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\AjPlayer.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240704162926855.0\msvcp80.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\vcomp120.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Dropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\play.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc120enu.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Dropped PE file which has not been started: C:\Program Files (x86)\IPCTools\IPCTools\WinRender.dll Jump to dropped file
Found evaded block containing many API calls
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Evaded block: after key decision
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Evasive API call chain: GetLocalTime,DecisionNodes
Found evasive API chain checking for process token information
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\SrTasks.exe TID: 1276 Thread sleep time: -300000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: 11_2_00A7F195 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00A7F236h 11_2_00A7F195
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: 11_2_00A7F195 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00A7F22Fh 11_2_00A7F195
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File Volume queried: C:\Program Files (x86) FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe File Volume queried: C:\Program Files (x86) FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe File Volume queried: C:\Windows FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Code function: 0_2_00405B6C FindFirstFileW,FindClose, 0_2_00405B6C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Code function: 0_2_0040652D DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_0040652D
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Code function: 4_2_01002A96 FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 4_2_01002A96
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: 11_2_00A68BE8 _memset,FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 11_2_00A68BE8
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: 11_2_00A866A3 _memset,_memset,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,GetLastError,GetLastError,GetLastError,FindClose, 11_2_00A866A3
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: 11_2_00A85710 _memset,FindFirstFileW,FindClose, 11_2_00A85710
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: 12_2_6F8AA685 _memset,FindFirstFileW,FindClose, 12_2_6F8AA685
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Code function: 4_2_010052D4 lstrcpyA,lstrcpyA,GetSystemInfo,lstrcpyA,CreateDirectoryA,RemoveDirectoryA, 4_2_010052D4
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\NULL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\vcRuntimeAdditional_amd64 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe File opened: C:\ProgramData\Package Cache\NULL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\NULL Jump to behavior
Source: dhplay.dll.0.dr Binary or memory string: bottombottomlefttoptopleftcenterleftunspecifiedbt2020cbt2020ncycgcofccgbrbt2020-20bt2020-10iec61966-2-1bt1361eiec61966-2-4log316log100linearbt2020filmsmpte240msmpte170mbt470bgbt470mbt709reservedpctvbayer_grbg16bebayer_grbg16lebayer_gbrg16bebayer_gbrg16lebayer_rggb16bebayer_rggb16lebayer_bggr16bebayer_bggr16lebayer_grbg8bayer_gbrg8bayer_rggb8bayer_bggr8yuvj411pgbrap16legbrap16begbrapgbrp14legbrp14begbrp12legbrp12beyuv444p14leyuv444p14beyuv444p12leyuv444p12beyuv422p14leyuv422p14beyuv422p12leyuv422p12beyuv420p14leyuv420p14beyuv420p12leyuv420p12beyuva422pyuva444pbgr00bgrrgb00rgbbgra64lebgra64bergba64lergba64beya16leya16bevdayvyu422nv20benv20lenv16xyz12bexyz12levdpauyuva444p16leyuva444p16beyuva422p16leyuva422p16beyuva420p16leyuva420p16beyuva444p10leyuva444p10beyuva422p10leyuva422p10beyuva420p10leyuva420p10beyuva444p9leyuva444p9beyuva422p9leyuva422p9beyuva420p9leyuva420p9begbrp16legbrp16begbrp10legbrp10begbrp9legbrp9begbrpvda_vldyuv422p9leyuv422p9beyuv444p10leyuv444p10beyuv444p9leyuv444p9beyuv422p10leyuv422p10beyuv420p10leyuv420p10beyuv420p9leyuv420p9bebgr48lebgr48begray8aya8bgr444bebgr444lergb444bergb444ledxva2_vldvdpau_mpeg4yuv444p16beyuv444p16leyuv422p16beyuv422p16leyuv420p16beyuv420p16levaapi_vldvaapi_idctvaapi_mocobgr555lebgr555bebgr565lebgr565bergb555lergb555bergb565lergb565bergb48lergb48bevdpau_vc1vdpau_wmv3vdpau_mpeg2vdpau_mpeg1vdpau_h264yuvj440py16ley16beabgrrgbargb4_bytebgr4_bytexvmcidctxvmcmcpal8monobmonowgray8,y8gray
Source: SrTasks.exe, 00000013.00000003.2312940027.000002414544E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: SrTasks.exe, 00000013.00000003.2307151382.0000024145463000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b
Source: SrTasks.exe, 00000013.00000003.2307151382.0000024145463000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:\
Source: dhplay.dll.0.dr Binary or memory string: xvmcidct
Source: SrTasks.exe, 00000013.00000003.2312940027.000002414544E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:88
Source: SrTasks.exe, 00000013.00000002.2315131839.0000024145463000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:!!
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1819295504.0000000002AC3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bottombottomlefttoptopleftcenterleftunspecifiedbt2020cbt2020ncycgcofccgbrbt2020-20bt2020-10iec61966-2-1bt1361eiec61966-2-4log316log100linearbt2020filmsmpte240msmpte170mbt470bgbt470mbt709reservedpctvbayer_grbg16bebayer_grbg16lebayer_gbrg16bebayer_gbrg16lebayer_rggb16bebayer_rggb16lebayer_bggr16bebayer_bggr16lebayer_grbg8bayer_gbrg8bayer_rggb8bayer_bggr8yuvj411pgbrap16legbrap16begbrapgbrp14legbrp14begbrp12legbrp12beyuv444p14leyuv444p14beyuv444p12leyuv444p12beyuv422p14leyuv422p14beyuv422p12leyuv422p12beyuv420p14leyuv420p14beyuv420p12leyuv420p12beyuva422pyuva444pbgr00bgrrgb00rgbbgra64lebgra64bergba64lergba64beya16leya16bevdayvyu422nv20benv20lenv16xyz12bexyz12levdpauyuva444p16leyuva444p16beyuva422p16leyuva422p16beyuva420p16leyuva420p16beyuva444p10leyuva444p10beyuva422p10leyuva422p10beyuva420p10leyuva420p10beyuva444p9leyuva444p9beyuva422p9leyuva422p9beyuva420p9leyuva420p9begbrp16legbrp16begbrp10legbrp10begbrp9legbrp9begbrpvda_vldyuv422p9leyuv422p9beyuv444p10leyuv444p10beyuv444p9leyuv444p9beyuv422p10leyuv422p10beyuv420p10leyuv420p10beyuv420p9leyuv420p9bebgr48lebgr48begray8aya8bgr444bebgr444lergb444bergb444ledxva2_vldvdpau_mpeg4yuv444p16beyuv444p16leyuv422p16beyuv422p16leyuv420p16beyuv420p16levaapi_vldvaapi_idctvaapi_mocobgr555lebgr555bebgr565lebgr565bergb555lergb555bergb565lergb565bergb48lergb48bevdpau_vc1vdpau_wmv3vdpau_mpeg2vdpau_mpeg1vdpau_h264yuvj440py16ley16beabgrrgbargb4_bytebgr4_bytexvmcidctxvmcmcpal8monobmonowgray8,y8gray`it
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1841583023.00000000027C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: yuv420pyuyv422rgb24bgr24yuv422pyuv444pyuv410pyuv411pgraygray8,y8monowmonobpal8yuvj420pyuvj422pyuvj444pxvmcmcxvmcidctuyvy422uyyvyy411bgr8bgr4bgr4_bytergb8rgb4rgb4_bytenv12nv21argbabgrgray16bey16begray16ley16leyuv440pyuvj440pyuva420pvdpau_h264vdpau_mpeg1vdpau_mpeg2vdpau_wmv3vdpau_vc1rgb48bergb48lergb565bergb565lergb555bergb555lebgr565bebgr565lebgr555bebgr555levaapi_mocovaapi_idctvaapi_vldyuv420p16leyuv420p16beyuv422p16leyuv422p16beyuv444p16leyuv444p16bevdpau_mpeg4dxva2_vldrgb444lergb444bebgr444lebgr444beya8gray8abgr48bebgr48leyuv420p9beyuv420p9leyuv420p10beyuv420p10leyuv422p10beyuv422p10leyuv444p9beyuv444p9leyuv444p10beyuv444p10leyuv422p9beyuv422p9levda_vldgbrpgbrp9begbrp9legbrp10begbrp10legbrp16begbrp16leyuva422pyuva444pyuva420p9beyuva420p9leyuva422p9beyuva422p9leyuva444p9beyuva444p9leyuva420p10beyuva420p10leyuva422p10beyuva422p10leyuva444p10beyuva444p10leyuva420p16beyuva420p16leyuva422p16beyuva422p16leyuva444p16beyuva444p16levdpauxyz12lexyz12benv16nv20lenv20bergba64bergba64lebgra64bebgra64leyvyu422vdaya16beya16legbrapgbrap16begbrap16leqsvmmald3d11va_vld0rgbrgb00bgrbgr0yuv420p12beyuv420p12leyuv420p14beyuv420p14leyuv422p12beyuv422p12leyuv422p14beyuv422p14leyuv444p12beyuv444p12leyuv444p14beyuv444p14legbrp12begbrp12legbrp14begbrp14leyuvj411pbayer_bggr8bayer_rggb8bayer_gbrg8bayer_grbg8bayer_bggr16lebayer_bggr16bebayer_rggb16lebayer_rggb16bebayer_gbrg16lebayer_gbrg16bebayer_grbg16lebayer_grbg16beyuv440p10leyuv440p10beyuv440p12leyuv440p12beayuv64leayuv64bevideotoolbox_vldp010lep010be
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1841583023.00000000027C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware Screen Codec / VMware Video
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: 11_2_00A7A0AC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_00A7A0AC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Code function: 0_2_00405B93 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405B93
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: 11_2_00A8233B GetProcessHeap,RtlAllocateHeap, 11_2_00A8233B
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Code function: 4_2_010064DE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_010064DE
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: 11_2_00A7A0AC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_00A7A0AC
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: 11_2_00A78A42 SetUnhandledExceptionFilter, 11_2_00A78A42
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: 11_2_00A77EAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_00A77EAA
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: 12_2_6F8AC9C1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_6F8AC9C1
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: 12_2_6F8AB88C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_6F8AB88C
Uses taskkill to terminate processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\system32\taskkill.exe" /F /IM IPCTools.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: 11_2_00A82B14 _memset,_memset,_memset,_memset,_memset,_memset,InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree, 11_2_00A82B14
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Code function: 4_2_01001760 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle, 4_2_01001760
Source: SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe, 00000000.00000003.1837159501.00000000027C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWndIDS_DEV_HEARTBEAT_TIP%04d-%02d:%02d %02d:%02d:%02d%d-%d-%d %d:%d:%dERR_DEV_NOT_LOGINERR_DEV_NOT_CONNECTEDERR_IS_STARTAUDIO_ERRORIP_NET_DVR_StartVoiceComERR_NOT_FIND_DEVICEIP_NET_DVR_StartTalkERR_OPEN_AUDIOCAPTURE_FAILEncodeTypeSampleRateAudioplayer.html?noneplaybackli_idOnChangeStoreDevice%s;expires=Sun,22-Feb-2099 00:00:00 GMT?:\OnChangeAbilityInfoHiddenAdvPtzActionctrl_versionscfLoginl1tyl1tmOnPresetListChange#Call_PresetListChkBoxDel_PresetListChkBoxERR_AUDIO_PARAM_ERRORERR_NOT_STARTTALK_MODE_ERRORIP_NET_DVR_AddTalkhttp://%s/http://%s:%d//:HTTP:http:login.html?idChangeStream%d:%d-%d:%dselectedIndexevaltry{document.getElementById('cfgli_id').style.display='none';}catch(eevv){}scfRealEventnStreamTypePlayRealVideo&t=%dselectedIndexidChangeStreamm_pBrowserApp->ExecWB return code=0x%x===>>[%s:%d] scale=%d<<===CPlayerDlg::SetZoomValue<xml><cmd>setpreset</cmd><preset>%s</preset><flag>1</flag></xml><xml>
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Queries volume information: C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\logo.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: 11_2_00A535A5 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,CreateNamedPipeW,GetLastError, 11_2_00A535A5
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2005_en.exe Code function: 4_2_0100646B GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 4_2_0100646B
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: 11_2_00A59A5A GetUserNameW,GetLastError, 11_2_00A59A5A
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Code function: 11_2_00A87D79 GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime, 11_2_00A87D79
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe Code function: 0_2_0040609E GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 0_2_0040609E
Source: C:\Users\user\AppData\Local\Temp\vcredist_x86_vs2013_en.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1467853 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 04/07/2024 Architecture: WINDOWS Score: 32 59 Antivirus / Scanner detection for submitted sample 2->59 61 Multi AV Scanner detection for dropped file 2->61 63 Multi AV Scanner detection for submitted file 2->63 8 SecuriteInfo.com.Win32.Malware-gen.10020.18427.exe 95 2->8         started        11 msiexec.exe 423 135 2->11         started        13 SrTasks.exe 2->13         started        15 rundll32.exe 2->15         started        process3 file4 39 C:\Users\user\...\vcredist_x86_vs2005_en.exe, PE32 8->39 dropped 41 C:\Program Files (x86)\IPCTools\...\play.dll, PE32 8->41 dropped 43 C:\Program Files (x86)\...\msvcr100.dll, PE32 8->43 dropped 51 18 other files (7 malicious) 8->51 dropped 17 vcredist_x86_vs2013_en.exe 36 18 8->17         started        20 taskkill.exe 1 8->20         started        22 vcredist_x86_vs2005_en.exe 1 4 8->22         started        45 C:\Windows\WinSxS\InstallTemp\...\vcomp.dll, PE32 11->45 dropped 47 C:\Windows\WinSxS\...\mfc80KOR.dll, PE32 11->47 dropped 49 C:\Windows\WinSxS\...\mfc80JPN.dll, PE32 11->49 dropped 53 29 other files (none is malicious) 11->53 dropped 24 msiexec.exe 11->24         started        26 conhost.exe 13->26         started        process5 file6 37 C:\ProgramData\...\vcredist_x86.exe, PE32 17->37 dropped 28 vcredist_x86_vs2013_en.exe 17->28         started        31 conhost.exe 20->31         started        33 msiexec.exe 5 22->33         started        process7 file8 55 C:\Users\user\AppData\...\vcredist_x86.exe, PE32 28->55 dropped 57 C:\Users\user\AppData\Local\...\wixstdba.dll, PE32 28->57 dropped 35 conhost.exe 31->35         started        process9
No contacted IP infos