Windows Analysis Report
flashcenter_pp_ax_inst78ll_cn.exe

Overview

General Information

Sample name: flashcenter_pp_ax_inst78ll_cn.exe
Analysis ID: 1567181
MD5: 72469bd8f1f59ddf5512635418b4dcfa
SHA1: 7319eff3e05f09169e94f68b365f4b765bba4682
SHA256: d21de9b307b41aaab3ca9efdf78d15518fa40158eabeb8a06eca0373cf0068db
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
PE file contains section with special chars
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\WXFManager64.dll Virustotal: Detection: 18% Perma Link
Uses 32bit PE files
Source: flashcenter_pp_ax_inst78ll_cn.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: flashcenter_pp_ax_inst78ll_cn.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: D:\a\Courier\Courier\out\build\windows-release-x64\Release\ZipSendService.pdb source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmp, svaulpzg.exe, 00000005.00000000.2159327028.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmp, svaulpzg.exe.3.dr
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2190175865.00007FFDA54B5000.00000002.00000001.01000000.0000000B.sdmp, vcruntime140_1.dll.3.dr
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmp, msvcp140.dll.3.dr
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdbGCTL source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmp, msvcp140.dll.3.dr
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmp, vcruntime140.dll.3.dr
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmp, vcruntime140.dll.3.dr
Source: Binary string: D:\a\Courier\Courier\out\build\windows-release-x64\Release\ZipSendService.pdbDD0GCTL source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmp, svaulpzg.exe, 00000005.00000000.2159327028.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmp, svaulpzg.exe.3.dr
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2190175865.00007FFDA54B5000.00000002.00000001.01000000.0000000B.sdmp, vcruntime140_1.dll.3.dr
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe Code function: 3_2_00405A8D FindFirstFileW, 3_2_00405A8D
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFD944EA3A0 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn, 5_2_00007FFD944EA3A0
Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_
Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr String found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr String found in binary or memory: http://ocsps.ssl.com0
Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr String found in binary or memory: http://www.winzip.com/authenticode.htm0
Source: flashcenter_pp_ax_inst78ll_cn.exe String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: flashcenter_pp_ax_inst78ll_cn.exe, 00000000.00000003.2125986998.000000007F1FB000.00000004.00001000.00020000.00000000.sdmp, flashcenter_pp_ax_inst78ll_cn.exe, 00000000.00000003.2125606246.00000000029B0000.00000004.00001000.00020000.00000000.sdmp, flashcenter_pp_ax_inst78ll_cn.tmp, 00000002.00000000.2127558309.0000000000431000.00000020.00000001.01000000.00000004.sdmp, flashcenter_pp_ax_inst78ll_cn.tmp.0.dr String found in binary or memory: https://www.innosetup.com/
Source: flashcenter_pp_ax_inst78ll_cn.exe, 00000000.00000003.2125986998.000000007F1FB000.00000004.00001000.00020000.00000000.sdmp, flashcenter_pp_ax_inst78ll_cn.exe, 00000000.00000003.2125606246.00000000029B0000.00000004.00001000.00020000.00000000.sdmp, flashcenter_pp_ax_inst78ll_cn.tmp, 00000002.00000000.2127558309.0000000000431000.00000020.00000001.01000000.00000004.sdmp, flashcenter_pp_ax_inst78ll_cn.tmp.0.dr String found in binary or memory: https://www.remobjects.com/ps
Source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, WXFManager64.dll.3.dr, svaulpzg.exe.3.dr String found in binary or memory: https://www.ssl.com/repository0

System Summary
barindex
PE file contains section with special chars
Source: WXFManager64.dll.3.dr Static PE information: section name: . vt
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe Code function: 3_2_00414F30 3_2_00414F30
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe Code function: 3_2_0040704D 3_2_0040704D
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe Code function: 3_2_004240A0 3_2_004240A0
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe Code function: 3_2_0041E1E0 3_2_0041E1E0
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe Code function: 3_2_004212C0 3_2_004212C0
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe Code function: 3_2_00425360 3_2_00425360
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe Code function: 3_2_004253EC 3_2_004253EC
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe Code function: 3_2_004194A9 3_2_004194A9
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe Code function: 3_2_00426620 3_2_00426620
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe Code function: 3_2_004226B0 3_2_004226B0
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe Code function: 3_2_00402866 3_2_00402866
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe Code function: 3_2_004248E0 3_2_004248E0
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe Code function: 3_2_0041E9A0 3_2_0041E9A0
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe Code function: 3_2_00424AB0 3_2_00424AB0
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe Code function: 3_2_00420CA9 3_2_00420CA9
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe Code function: 3_2_0041DDB0 3_2_0041DDB0
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FF7E3BDBC40 5_2_00007FF7E3BDBC40
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FF7E3BDF400 5_2_00007FF7E3BDF400
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FF7E3BD23C0 5_2_00007FF7E3BD23C0
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FF7E3BDA680 5_2_00007FF7E3BDA680
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FF7E3BD59B0 5_2_00007FF7E3BD59B0
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FF7E3BDF160 5_2_00007FF7E3BDF160
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFD944FF4CC 5_2_00007FFD944FF4CC
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFD944F6490 5_2_00007FFD944F6490
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFD944EBDCC 5_2_00007FFD944EBDCC
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFD94502D60 5_2_00007FFD94502D60
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFD94512E20 5_2_00007FFD94512E20
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFD945135F0 5_2_00007FFD945135F0
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFD944FAEAC 5_2_00007FFD944FAEAC
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFD94515690 5_2_00007FFD94515690
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFD94517F58 5_2_00007FFD94517F58
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFD9451A718 5_2_00007FFD9451A718
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFD945117CC 5_2_00007FFD945117CC
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFD944F67C0 5_2_00007FFD944F67C0
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFD9451A018 5_2_00007FFD9451A018
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFD945147E0 5_2_00007FFD945147E0
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFD94504898 5_2_00007FFD94504898
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFD94505130 5_2_00007FFD94505130
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFD9450A9C0 5_2_00007FFD9450A9C0
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFD9450096C 5_2_00007FFD9450096C
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFD944EF220 5_2_00007FFD944EF220
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFD944EBA48 5_2_00007FFD944EBA48
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFD94503A10 5_2_00007FFD94503A10
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFD944F6B18 5_2_00007FFD944F6B18
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFD944ED3A8 5_2_00007FFD944ED3A8
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFD944F8B78 5_2_00007FFD944F8B78
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFD944F7364 5_2_00007FFD944F7364
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFD944FA38C 5_2_00007FFD944FA38C
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFD94518BF8 5_2_00007FFD94518BF8
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFDA3733042 5_2_00007FFDA3733042
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFDA3561000 5_2_00007FFDA3561000
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFDA3732EDA 5_2_00007FFDA3732EDA
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFDA433635C 5_2_00007FFDA433635C
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\msvcp140.dll A4C2229BDC2A2A630ACDC095B4D86008E5C3E3BC7773174354F3DA4F5BEB9CDE
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe Code function: String function: 00425A80 appears 186 times
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe Code function: String function: 00403BA5 appears 61 times
PE file contains executable resources (Code or Archives)
Source: flashcenter_pp_ax_inst78ll_cn.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
PE file contains more sections than normal
Source: flashcenter_pp_ax_inst78ll_cn.exe Static PE information: Number of sections : 11 > 10
Source: flashcenter_pp_ax_inst78ll_cn.tmp.0.dr Static PE information: Number of sections : 11 > 10
Sample file is different than original file name gathered from version info
Source: flashcenter_pp_ax_inst78ll_cn.exe, 00000000.00000000.2123366862.00000000002E9000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName vs flashcenter_pp_ax_inst78ll_cn.exe
Source: flashcenter_pp_ax_inst78ll_cn.exe, 00000000.00000003.2125986998.000000007F4EB000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs flashcenter_pp_ax_inst78ll_cn.exe
Source: flashcenter_pp_ax_inst78ll_cn.exe, 00000000.00000003.2125606246.0000000002ABF000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs flashcenter_pp_ax_inst78ll_cn.exe
Source: flashcenter_pp_ax_inst78ll_cn.exe Binary or memory string: OriginalFileName vs flashcenter_pp_ax_inst78ll_cn.exe
Source: flashcenter_pp_ax_inst78ll_cn.exe Binary or memory string: OriginalFilename7z.sfx.exe, vs flashcenter_pp_ax_inst78ll_cn.exe
Uses 32bit PE files
Source: flashcenter_pp_ax_inst78ll_cn.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal52.winEXE@8/11@0/0
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFD944EA880 GetDiskFreeSpaceExW,_invalid_parameter_noinfo_noreturn, 5_2_00007FFD944EA880
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FF7E3BDB970 CoCreateInstance,GetModuleFileNameW, 5_2_00007FF7E3BDB970
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp File created: C:\Users\user\AppData\Roaming\9430dad Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1764:120:WilError_03
Source: C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe File created: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp Jump to behavior
Source: C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: flashcenter_pp_ax_inst78ll_cn.exe String found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe File read: C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe "C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe"
Source: C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe Process created: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp "C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp" /SL5="$2042C,19484773,802304,C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe"
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Process created: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe "C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe" -p4f63a7bd -y -o"C:\Users\user\AppData\Local\Temp\is-3DAJ2.tmp\..\76809449335627201121797450\"
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Process created: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe "C:\Users\user\AppData\Local\Temp\is-3DAJ2.tmp\..\76809449335627201121797450\svaulpzg.exe"
Source: C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe Process created: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp "C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp" /SL5="$2042C,19484773,802304,C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Process created: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe "C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe" -p4f63a7bd -y -o"C:\Users\user\AppData\Local\Temp\is-3DAJ2.tmp\..\76809449335627201121797450\" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Process created: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe "C:\Users\user\AppData\Local\Temp\is-3DAJ2.tmp\..\76809449335627201121797450\svaulpzg.exe" Jump to behavior
Source: C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Section loaded: wxfmanager64.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Window found: window name: TMainForm Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: flashcenter_pp_ax_inst78ll_cn.exe Static file information: File size 20442024 > 1048576
Source: flashcenter_pp_ax_inst78ll_cn.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: D:\a\Courier\Courier\out\build\windows-release-x64\Release\ZipSendService.pdb source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmp, svaulpzg.exe, 00000005.00000000.2159327028.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmp, svaulpzg.exe.3.dr
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2190175865.00007FFDA54B5000.00000002.00000001.01000000.0000000B.sdmp, vcruntime140_1.dll.3.dr
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmp, msvcp140.dll.3.dr
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdbGCTL source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2189796846.00007FFD94535000.00000002.00000001.01000000.0000000A.sdmp, msvcp140.dll.3.dr
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmp, vcruntime140.dll.3.dr
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2190099763.00007FFDA4344000.00000002.00000001.01000000.0000000C.sdmp, vcruntime140.dll.3.dr
Source: Binary string: D:\a\Courier\Courier\out\build\windows-release-x64\Release\ZipSendService.pdbDD0GCTL source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2189711554.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmp, svaulpzg.exe, 00000005.00000000.2159327028.00007FF7E3BE4000.00000002.00000001.01000000.00000008.sdmp, svaulpzg.exe.3.dr
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: 99e5df4d8.exe, 00000003.00000003.2152499649.0000000002590000.00000004.00001000.00020000.00000000.sdmp, svaulpzg.exe, 00000005.00000002.2190175865.00007FFDA54B5000.00000002.00000001.01000000.0000000B.sdmp, vcruntime140_1.dll.3.dr
Binary contains a suspicious time stamp
Source: msvcp140.dll.3.dr Static PE information: 0xB3DF2F63 [Mon Aug 17 15:25:23 2065 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FF7E3BDBC40 RegOpenKeyExW,RegQueryInfoKeyW,RegCloseKey,malloc,RegEnumValueW,memcpy,GetFileVersionInfoSizeW,malloc,GetFileVersionInfoW,VerQueryValueW,memcpy,free,free,RegCloseKey,RegOpenKeyExW,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,LoadLibraryW,GetProcAddress,FreeLibrary,SHDeleteKeyW,RegSetValueExW,RegCloseKey, 5_2_00007FF7E3BDBC40
PE file contains sections with non-standard names
Source: flashcenter_pp_ax_inst78ll_cn.exe Static PE information: section name: .didata
Source: flashcenter_pp_ax_inst78ll_cn.tmp.0.dr Static PE information: section name: .didata
Source: is-URMQG.tmp.2.dr Static PE information: section name: .sxdata
Source: vcruntime140.dll.3.dr Static PE information: section name: fothk
Source: vcruntime140.dll.3.dr Static PE information: section name: _RDATA
Source: WXFManager64.dll.3.dr Static PE information: section name: .00cfg
Source: WXFManager64.dll.3.dr Static PE information: section name: .gxfg
Source: WXFManager64.dll.3.dr Static PE information: section name: .retplne
Source: WXFManager64.dll.3.dr Static PE information: section name: _RDATA
Source: WXFManager64.dll.3.dr Static PE information: section name: . vt
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe Code function: 3_2_00425A80 push eax; ret 3_2_00425A9E
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe Code function: 3_2_00425E10 push eax; ret 3_2_00425E3E
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFDA356613F push r14; iretd 5_2_00007FFDA3566168
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFDA3562853 push rcx; iretd 5_2_00007FFDA3562854
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFDA35627E5 push rsi; ret 5_2_00007FFDA35627E6
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFDA3564FF7 push rsp; retf 5_2_00007FFDA3565009
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFDA35686A2 pushfq ; ret 5_2_00007FFDA35686AA
Source: WXFManager64.dll.3.dr Static PE information: section name: .text entropy: 7.221036407638945
Source: WXFManager64.dll.3.dr Static PE information: section name: . vt entropy: 7.917881220510166
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp File created: C:\Users\user\AppData\Local\Temp\is-3DAJ2.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe File created: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe File created: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Jump to dropped file
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe File created: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp File created: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe File created: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe File created: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\vcruntime140_1.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe File created: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\WXFManager64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp File created: C:\Users\user\AppData\Roaming\9430dad\is-URMQG.tmp Jump to dropped file
Source: C:\Users\user\Desktop\flashcenter_pp_ax_inst78ll_cn.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3DAJ2.tmp\_isetup\_setup64.tmp Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe API coverage: 1.1 %
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe Code function: 3_2_00405A8D FindFirstFileW, 3_2_00405A8D
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFD944EA3A0 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn, 5_2_00007FFD944EA3A0
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe Code function: 3_2_0040736E GetSystemInfo, 3_2_0040736E
Source: flashcenter_pp_ax_inst78ll_cn.exe, is-URMQG.tmp.2.dr Binary or memory string: hgfS]
Source: C:\Users\user\AppData\Local\Temp\is-C1P8K.tmp\flashcenter_pp_ax_inst78ll_cn.tmp Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FF7E3BE20F0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00007FF7E3BE20F0
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FF7E3BE24C0 GetLastError,IsDebuggerPresent,OutputDebugStringW, 5_2_00007FF7E3BE24C0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FF7E3BDBC40 RegOpenKeyExW,RegQueryInfoKeyW,RegCloseKey,malloc,RegEnumValueW,memcpy,GetFileVersionInfoSizeW,malloc,GetFileVersionInfoW,VerQueryValueW,memcpy,free,free,RegCloseKey,RegOpenKeyExW,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,LoadLibraryW,GetProcAddress,FreeLibrary,SHDeleteKeyW,RegSetValueExW,RegCloseKey, 5_2_00007FF7E3BDBC40
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FF7E3BE18DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_00007FF7E3BE18DC
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FF7E3BE20F0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00007FF7E3BE20F0
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FF7E3BE22D0 SetUnhandledExceptionFilter, 5_2_00007FF7E3BE22D0
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFD945323A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_00007FFD945323A0
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFDA4340C18 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_00007FFDA4340C18
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: 5_2_00007FFDA54B4738 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_00007FFDA54B4738
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe Code function: 3_2_00426100 cpuid 3_2_00426100
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: ___lc_locale_name_func,GetLocaleInfoEx, 5_2_00007FFD9450D830
Source: C:\Users\user\AppData\Local\Temp\76809449335627201121797450\svaulpzg.exe Code function: GetLocaleInfoEx,FormatMessageA, 5_2_00007FFD944F207C
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe Code function: 3_2_00407455 GetSystemTimeAsFileTime, 3_2_00407455
Source: C:\Users\user\AppData\Roaming\9430dad\99e5df4d8.exe Code function: 3_2_00426040 GetVersion, 3_2_00426040
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1567181 Sample: flashcenter_pp_ax_inst78ll_cn.exe Startdate: 03/12/2024 Architecture: WINDOWS Score: 52 37 Multi AV Scanner detection for dropped file 2->37 39 PE file contains section with special chars 2->39 8 flashcenter_pp_ax_inst78ll_cn.exe 2 2->8         started        process3 file4 21 C:\...\flashcenter_pp_ax_inst78ll_cn.tmp, PE32 8->21 dropped 11 flashcenter_pp_ax_inst78ll_cn.tmp 5 5 8->11         started        process5 file6 23 C:\Users\user\AppData\...\is-URMQG.tmp, PE32 11->23 dropped 25 C:\Users\user\...\99e5df4d8.exe (copy), PE32 11->25 dropped 27 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 11->27 dropped 14 99e5df4d8.exe 8 11->14         started        17 svaulpzg.exe 11->17         started        process7 file8 29 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 14->29 dropped 31 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 14->31 dropped 33 C:\Users\user\AppData\Local\...\svaulpzg.exe, PE32+ 14->33 dropped 35 2 other malicious files 14->35 dropped 19 conhost.exe 14->19         started        process9
No contacted IP infos