Analysis Report https://download01.logi.com/web/ftp/pub/techsupport/capture/Capture_2.06.8.exe

Overview

General Information

Sample URL: https://download01.logi.com/web/ftp/pub/techsupport/capture/Capture_2.06.8.exe
Analysis ID: 378606
Infos:

Most interesting Screenshot:

Detection

Score: 10
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Abnormal high CPU Usage
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\da\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\de\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\el\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\en\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\en\License_logicool.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\es\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\fi\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\fr\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\it\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\ja\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\ko\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\nl\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\no\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\pl\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\pt-BR\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\pt-PT\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\ru\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\sv\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\zh-CN\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\zh-TW\License.rtf Jump to behavior
Source: Binary string: D:\Projects\XSplit_git\cppcore\Components\LogitechInstallerDll\Release\LogitechInstallerDll.pdb source: Capture_2.06.8.exe, 0000000F.00000002.680914436.000000007099C000.00000002.00020000.sdmp
Source: Binary string: e:\Builds\Kamino\Kamino_2.06\2.06.8\Install\LCaptureInstallerUI\LCaptureInstallerUI\obj\x64\Release\LCaptureInstallerUI.pdb source: LCaptureInstallerUI.exe
Source: Binary string: D:\Repositories\cppcore\bin\release\x64\VHMultiWriterExt2.pdb source: VHMultiWriterExt2.exe.15.dr
Source: Binary string: DpInst.pdbH source: dpinst.exe.15.dr
Source: Binary string: DpInst.pdb source: dpinst.exe.15.dr
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_0040287E FindFirstFileW, 15_2_0040287E
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_004063F1 FindFirstFileW,FindClose, 15_2_004063F1
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_0040589F GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 15_2_0040589F
Source: VHMultiWriterExt2.exe.15.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: VHMultiWriterExt2.exe.15.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: VHMultiWriterExt2.exe.15.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: VHMultiWriterExt2.exe.15.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: wget.exe, 00000002.00000002.352957999.0000000000D18000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: VHMultiWriterExt2.exe.15.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: VHMultiWriterExt2.exe.15.dr String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: VHMultiWriterExt2.exe.15.dr String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: VHMultiWriterExt2.exe.15.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: VHMultiWriterExt2.exe.15.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: VHMultiWriterExt2.exe.15.dr String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: VHMultiWriterExt2.exe.15.dr String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: VHMultiWriterExt2.exe.15.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: LCaptureInstallerUI.exe, 00000012.00000002.682779587.0000000003EF9000.00000004.00000001.sdmp String found in binary or memory: http://defaultcontainer/LCaptureInstallerUI;component/Resources/Fonts/brownpro-bold.otf
Source: LCaptureInstallerUI.exe, 00000012.00000002.682557789.0000000003D79000.00000004.00000001.sdmp String found in binary or memory: http://defaultcontainer/LCaptureInstallerUI;component/Resources/Fonts/brownpro-bold.ttf
Source: LCaptureInstallerUI.exe, 00000012.00000002.682779587.0000000003EF9000.00000004.00000001.sdmp String found in binary or memory: http://defaultcontainer/LCaptureInstallerUI;component/Resources/Fonts/brownpro-light.otf
Source: LCaptureInstallerUI.exe, 00000012.00000002.682256116.0000000003BF9000.00000004.00000001.sdmp String found in binary or memory: http://defaultcontainer/LCaptureInstallerUI;component/Resources/Fonts/brownpro-regular.ttf
Source: LCaptureInstallerUI.exe, 00000012.00000002.682779587.0000000003EF9000.00000004.00000001.sdmp String found in binary or memory: http://defaultcontainer/LCaptureInstallerUI;component/Resources/Fonts/brownpro-thin.otf
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://defaultcontainer/LCaptureInstallerUI;component/Resources/Images/Icons/Kamino124/Kamino124.png
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://defaultcontainer/LCaptureInstallerUI;component/analytics.png
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://defaultcontainer/LCaptureInstallerUI;component/kamino124.png
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://defaultcontainer/LCaptureInstallerUI;component/kamino124Done.png
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://defaultcontainer/LCaptureInstallerUI;component/pages/analytics.xaml
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://defaultcontainer/LCaptureInstallerUI;component/pages/closeapps.xaml
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://defaultcontainer/LCaptureInstallerUI;component/pages/finished.xaml
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://defaultcontainer/LCaptureInstallerUI;component/pages/install.xaml
Source: LCaptureInstallerUI.exe, 00000012.00000002.682779587.0000000003EF9000.00000004.00000001.sdmp String found in binary or memory: http://defaultcontainer/Resources/Fonts/brownpro-bold.otf
Source: LCaptureInstallerUI.exe, 00000012.00000002.682779587.0000000003EF9000.00000004.00000001.sdmp String found in binary or memory: http://defaultcontainer/Resources/Fonts/brownpro-bold.ttf
Source: LCaptureInstallerUI.exe, 00000012.00000002.682256116.0000000003BF9000.00000004.00000001.sdmp String found in binary or memory: http://defaultcontainer/Resources/Fonts/brownpro-light.otf
Source: LCaptureInstallerUI.exe, 00000012.00000002.682256116.0000000003BF9000.00000004.00000001.sdmp String found in binary or memory: http://defaultcontainer/Resources/Fonts/brownpro-regular.ttf
Source: LCaptureInstallerUI.exe, 00000012.00000002.682779587.0000000003EF9000.00000004.00000001.sdmp String found in binary or memory: http://defaultcontainer/Resources/Fonts/brownpro-thin.otf
Source: LCaptureInstallerUI.exe, 00000012.00000002.698599754.0000000021E56000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: LCaptureInstallerUI.exe, 00000012.00000002.682779587.0000000003EF9000.00000004.00000001.sdmp String found in binary or memory: http://foo/Resources/Fonts/brownpro-bold.otf
Source: LCaptureInstallerUI.exe, 00000012.00000002.682779587.0000000003EF9000.00000004.00000001.sdmp String found in binary or memory: http://foo/Resources/Fonts/brownpro-bold.ttf
Source: LCaptureInstallerUI.exe, 00000012.00000002.682256116.0000000003BF9000.00000004.00000001.sdmp String found in binary or memory: http://foo/Resources/Fonts/brownpro-light.otf
Source: LCaptureInstallerUI.exe, 00000012.00000002.682256116.0000000003BF9000.00000004.00000001.sdmp String found in binary or memory: http://foo/Resources/Fonts/brownpro-regular.ttf
Source: LCaptureInstallerUI.exe, 00000012.00000002.682779587.0000000003EF9000.00000004.00000001.sdmp String found in binary or memory: http://foo/Resources/Fonts/brownpro-thin.otf
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://foo/Resources/Images/Icons/Kamino124/Kamino124.png
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://foo/analytics.png
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://foo/bar/analytics.png
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://foo/bar/kamino124.png
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://foo/bar/kamino124done.png
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://foo/bar/pages/analytics.baml
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://foo/bar/pages/closeapps.baml
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://foo/bar/pages/finished.baml
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://foo/bar/pages/install.baml
Source: LCaptureInstallerUI.exe, 00000012.00000002.682779587.0000000003EF9000.00000004.00000001.sdmp String found in binary or memory: http://foo/bar/resources/fonts/brownpro-bold.otf
Source: LCaptureInstallerUI.exe, 00000012.00000002.682779587.0000000003EF9000.00000004.00000001.sdmp String found in binary or memory: http://foo/bar/resources/fonts/brownpro-bold.ttf
Source: LCaptureInstallerUI.exe, 00000012.00000002.682256116.0000000003BF9000.00000004.00000001.sdmp String found in binary or memory: http://foo/bar/resources/fonts/brownpro-light.otf
Source: LCaptureInstallerUI.exe, 00000012.00000002.682256116.0000000003BF9000.00000004.00000001.sdmp String found in binary or memory: http://foo/bar/resources/fonts/brownpro-regular.ttf
Source: LCaptureInstallerUI.exe, 00000012.00000002.682779587.0000000003EF9000.00000004.00000001.sdmp String found in binary or memory: http://foo/bar/resources/fonts/brownpro-thin.otf
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://foo/bar/resources/images/icons/kamino124/kamino124.png
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://foo/kamino124.png
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://foo/kamino124Done.png
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://foo/pages/analytics.xaml
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://foo/pages/closeapps.xaml
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://foo/pages/finished.xaml
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://foo/pages/install.xaml
Source: Capture_2.06.8.exe, 0000000F.00000000.411376593.000000000040A000.00000008.00020000.sdmp, Capture_2.06.8.exe.2.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: VHMultiWriterExt2.exe.15.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: VHMultiWriterExt2.exe.15.dr String found in binary or memory: http://ocsp.digicert.com0H
Source: VHMultiWriterExt2.exe.15.dr String found in binary or memory: http://ocsp.digicert.com0I
Source: VHMultiWriterExt2.exe.15.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: License.rtf2.15.dr String found in binary or memory: http://opensource.logitech.com
Source: License.rtf8.15.dr, License.rtf.15.dr, License.rtf7.15.dr String found in binary or memory: http://pugixml.org)
Source: License.rtf1.15.dr, License.rtf15.15.dr, License.rtf6.15.dr, License.rtf4.15.dr, License.rtf10.15.dr, License.rtf0.15.dr, License.rtf14.15.dr, License.rtf9.15.dr, License.rtf3.15.dr String found in binary or memory: http://pugixml.org).
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: LCaptureInstallerUI.exe, 00000012.00000000.419847861.0000000000502000.00000002.00020000.sdmp String found in binary or memory: http://support.logicool.co.jp/
Source: LCaptureInstallerUI.exe, 00000012.00000000.419847861.0000000000502000.00000002.00020000.sdmp String found in binary or memory: http://support.logicool.co.jp/article/logitechflow-help
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://support.logitech.com/
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://support.logitech.com/article/logitechflow-help
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://support.logitech.com/software/capture
Source: LCaptureInstallerUI.exe, 00000012.00000002.698599754.0000000021E56000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: LCaptureInstallerUI.exe, 00000012.00000002.698599754.0000000021E56000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: VHMultiWriterExt2.exe.15.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: VHMultiWriterExt2.exe.15.dr String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: LCaptureInstallerUI.exe, 00000012.00000002.698599754.0000000021E56000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: LCaptureInstallerUI.exe, 00000012.00000002.698599754.0000000021E56000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: LCaptureInstallerUI.exe, 00000012.00000002.698599754.0000000021E56000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: LCaptureInstallerUI.exe, 00000012.00000002.698599754.0000000021E56000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: LCaptureInstallerUI.exe, 00000012.00000002.698599754.0000000021E56000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: LCaptureInstallerUI.exe, 00000012.00000002.698599754.0000000021E56000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: LCaptureInstallerUI.exe, 00000012.00000002.698599754.0000000021E56000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: LCaptureInstallerUI.exe, 00000012.00000002.698599754.0000000021E56000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: LCaptureInstallerUI.exe, 00000012.00000002.698599754.0000000021E56000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: LCaptureInstallerUI.exe, 00000012.00000002.698599754.0000000021E56000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: LCaptureInstallerUI.exe, 00000012.00000002.698599754.0000000021E56000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: LCaptureInstallerUI.exe, 00000012.00000002.698599754.0000000021E56000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: LCaptureInstallerUI.exe, 00000012.00000002.698599754.0000000021E56000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: LCaptureInstallerUI.exe, 00000012.00000002.698599754.0000000021E56000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: LCaptureInstallerUI.exe, 00000012.00000002.698599754.0000000021E56000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: LCaptureInstallerUI.exe, 00000012.00000002.698599754.0000000021E56000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: LCaptureInstallerUI.exe String found in binary or memory: http://www.lineto.c
Source: LCaptureInstallerUI.exe String found in binary or memory: http://www.lineto.com
Source: LCaptureInstallerUI.exe, 00000012.00000000.419847861.0000000000502000.00000002.00020000.sdmp, LCaptureInstallerUI.exe, 00000012.00000002.699148830.0000000022E72000.00000004.00000001.sdmp, LCaptureInstallerUI.exe, 00000012.00000002.682779587.0000000003EF9000.00000004.00000001.sdmp String found in binary or memory: http://www.lineto.com/Lineto.com/Font
Source: LCaptureInstallerUI.exe, LCaptureInstallerUI.exe, 00000012.00000002.682256116.0000000003BF9000.00000004.00000001.sdmp, LCaptureInstallerUI.exe, 00000012.00000000.419847861.0000000000502000.00000002.00020000.sdmp, LCaptureInstallerUI.exe, 00000012.00000002.699148830.0000000022E72000.00000004.00000001.sdmp String found in binary or memory: http://www.lineto.com/The
Source: LCaptureInstallerUI.exe String found in binary or memory: http://www.lineto.comht
Source: LCaptureInstallerUI.exe String found in binary or memory: http://www.lineto.comhttp:
Source: LCaptureInstallerUI.exe String found in binary or memory: http://www.lineto.comhttp:/
Source: LCaptureInstallerUI.exe, 00000012.00000000.419847861.0000000000502000.00000002.00020000.sdmp String found in binary or memory: http://www.lineto.comhttp://www.lineto.com/The
Source: LCaptureInstallerUI.exe, 00000012.00000002.682256116.0000000003BF9000.00000004.00000001.sdmp, LCaptureInstallerUI.exe, 00000012.00000000.419847861.0000000000502000.00000002.00020000.sdmp String found in binary or memory: http://www.lineto.comhttp://www.lineto.comhttp://www.lineto.com/The
Source: LCaptureInstallerUI.exe, 00000012.00000000.419847861.0000000000502000.00000002.00020000.sdmp String found in binary or memory: http://www.logicool.co.jp/
Source: LCaptureInstallerUI.exe, LCaptureInstallerUI.exe, 00000012.00000000.419847861.0000000000502000.00000002.00020000.sdmp String found in binary or memory: http://www.logitech.com
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://www.logitech.com/
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: http://www.logitech.com/assets/65580/logitech-eula.pdf
Source: LCaptureInstallerUI.exe, 00000012.00000002.698599754.0000000021E56000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: LCaptureInstallerUI.exe, 00000012.00000002.698599754.0000000021E56000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: LCaptureInstallerUI.exe, 00000012.00000002.698599754.0000000021E56000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: LCaptureInstallerUI.exe, 00000012.00000002.698599754.0000000021E56000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: LCaptureInstallerUI.exe, 00000012.00000002.698599754.0000000021E56000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: LCaptureInstallerUI.exe, 00000012.00000002.698599754.0000000021E56000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: LCaptureInstallerUI.exe, 00000012.00000002.698599754.0000000021E56000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: wget.exe, 00000002.00000002.352998436.00000000015A0000.00000004.00000040.sdmp, cmdline.out.2.dr String found in binary or memory: https://download01.logi.com/web/ftp/pub/techsupport/capture/Capture_2.06.8.exe
Source: VHMultiWriterExt2.exe.15.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: LCaptureInstallerUI.exe, 00000012.00000000.419847861.0000000000502000.00000002.00020000.sdmp String found in binary or memory: https://www.logicool.co.jp/legal/product-privacy-policy.html
Source: License.rtf2.15.dr String found in binary or memory: https://www.logitech.com/en-ch/legal/product-privacy-policy.html
Source: LCaptureInstallerUI.exe, 00000012.00000002.678611912.0000000003821000.00000004.00000001.sdmp String found in binary or memory: https://www.logitech.com/legal/product-privacy-policy.html

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_0040534C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 15_2_0040534C

E-Banking Fraud:

barindex
Drops certificate files (DER)
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Win7Res\luvc1564c.cat Jump to dropped file

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\wget.exe Process Stats: CPU usage > 98%
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_004032FE EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 15_2_004032FE
Detected potential crypto function
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_00406776 15_2_00406776
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_00404B89 15_2_00404B89
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_709918F6 15_2_709918F6
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_70996494 15_2_70996494
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_70997680 15_2_70997680
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_709993D1 15_2_709993D1
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_70997BF2 15_2_70997BF2
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_7099A33D 15_2_7099A33D
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_70998164 15_2_70998164
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Code function: 18_2_00007FFAF1930A6D 18_2_00007FFAF1930A6D
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Code function: 18_2_00007FFAF1937DDB 18_2_00007FFAF1937DDB
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Code function: 18_2_00007FFAF19320CB 18_2_00007FFAF19320CB
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Code function: 18_2_00007FFAF1931D0D 18_2_00007FFAF1931D0D
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Code function: 18_2_00007FFAF1932660 18_2_00007FFAF1932660
PE file contains strange resources
Source: Capture_2.06.8.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: classification engine Classification label: clean10.win@7/54@0/2
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_004032FE EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 15_2_004032FE
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_0040460D GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 15_2_0040460D
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_00402104 CoCreateInstance, 15_2_00402104
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\Desktop\cmdline.out Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\LogiCaptureInstaller{25AB561A-6021-4379-96FF-8949DCE5D718-Open}
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Mutant created: \Sessions\1\BaseNamedObjects\Capture-{0D8F81A5-E8E7-4798-99B8-62A3EC6FB42D}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6252:120:WilError_01
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\nsa77C6.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: LCaptureInstallerUI.exe String found in binary or memory: /LCaptureInstallerUI;component/pages/install.xaml
Source: LCaptureInstallerUI.exe String found in binary or memory: mere at vide om %BrandName%s</String> <String key="Analytics:PrivacyPolicy"> politik om beskyttelse af personlige oplysninger</String> <String key="Analytics:WelcomeEULA">Slutbrugerlicensaftalen</String> <!--Installing Page--> <String key="In
Source: LCaptureInstallerUI.exe String found in binary or memory: ing> <!--Install Completed Page--> <String key="Installed">ist installiert</String> <String key="MoreInformation">Weitere Informationen finden Sie auf der Support-Seite</String> <String key="Continue">WEITER</String> <String key="OpenApp">
Source: LCaptureInstallerUI.exe String found in binary or memory: <String key="Analytics:LearnMore"> %BrandName% </String> <String key="Analytics:PrivacyPolicy"> </String> <String key="Analytics:WelcomeEULA"></String> <!--Installing
Source: LCaptureInstallerUI.exe String found in binary or memory: </String> <String key="AppDescription:2"></String> <!--Install Completed Page--> <Str
Source: LCaptureInstallerUI.exe String found in binary or memory: </String> <!--Installing Page--> <String key="Installing"></String> <String key="Installing:2"></String> <String key="
Source: LCaptureInstallerUI.exe String found in binary or memory: ontratto di licenza con l'utente finale</String> <!--Installing Page--> <String key="Installing">Installazione</String> <String key="Installing:2">Installazione in corso...</String> <String key="AppDescription">%BrandName% Capture ti consente
Source: LCaptureInstallerUI.exe String found in binary or memory: de %BrandName%</String> <String key="Analytics:WelcomeEULA">Contrat de licence utilisateur final</String> <!--Installing Page--> <String key="Installing">Installation en cours...</String> <String key="Installing:2">Installation en cours</Stri
Source: LCaptureInstallerUI.exe String found in binary or memory: mest mulig ut av dine %BrandName%-webkameraer. Vent litt, denne prosessen kan ta et par minutter.</String> <String key="AppDescription:2">Vent litt, denne prosessen kan ta et par minutter.</String> <!--Install Completed Page--> <String key="Insta
Source: LCaptureInstallerUI.exe String found in binary or memory: y="Analytics:PrivacyPolicy"> privacybeleid</String> <String key="Analytics:WelcomeEULA">Gebruiksrechtovereenkomst</String> <!--Installing Page--> <String key="Installing">Installeren...</String> <String key="Installing:2">Installatie in voortg
Source: LCaptureInstallerUI.exe String found in binary or memory: lytics:PrivacyPolicy"> </String> <String key="Analytics:WelcomeEULA"></String> <!--Installing Page--> <String key="Installing"></String> <String key="Ins
Source: LCaptureInstallerUI.exe String found in binary or memory: blik geduld, dit proces kan een paar minuten duren.</String> <!--Install Completed Page--> <String key="Installed">is geinstalleerd</String> <String key="MoreInformation">Ga naar de ondersteuningspagina voor meer informatie</String> <String ke
Source: LCaptureInstallerUI.exe String found in binary or memory: </String> <String key="AppDescription:2"></String> <!--Install Completed Page--> <String key="Installed"></String> <Str
Source: LCaptureInstallerUI.exe String found in binary or memory: ring key="AppDescription:2"> . .</String> <!--Install Completed Page--> <String key="Installed">
Source: LCaptureInstallerUI.exe String found in binary or memory: mara Web %BrandName%. Espere, este proceso puede tardar varios minutos.</String> <String key="AppDescription:2">Espere, este proceso puede tardar varios minutos.</String> <!--Install Completed Page--> <String key="Installed">se ha instalado</Strin
Source: LCaptureInstallerUI.exe String found in binary or memory: pages/install.baml
Source: LCaptureInstallerUI.exe String found in binary or memory: -start
Source: LCaptureInstallerUI.exe String found in binary or memory: -install
Source: LCaptureInstallerUI.exe String found in binary or memory: y="Err:Singleton">Er is een ander exemplaar van het %BrandName% Capture-installatieprogramma actief. Voltooi eerst de andere installatie, voordat u dit installatieprogramma uitvoert.</String> <String key="Err:OS">%BrandName% Capture ondersteunt alleen Wind
Source: LCaptureInstallerUI.exe String found in binary or memory: en</String> <!--First Page--> <String key="WindowName">%BrandName% Capture-Installationsprogramm</String> <String key="ApplicationName">%BrandName% Capture-Installationsprogramm</String> <String key="Welcome">Willkommen bei</String> <Strin
Source: LCaptureInstallerUI.exe String found in binary or memory: pture-installationsprogram</String> <String key="ApplicationName">%BrandName% Capture-installationsprogram</String> <String key="Welcome">Velkommen til</String> <String key="LWS_UnInstall2">%BrandName%-webkamera</String> <String key="LWS_UnInst
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://download01.logi.com/web/ftp/pub/techsupport/capture/Capture_2.06.8.exe' > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://download01.logi.com/web/ftp/pub/techsupport/capture/Capture_2.06.8.exe'
Source: unknown Process created: C:\Users\user\Desktop\download\Capture_2.06.8.exe 'C:\Users\user\Desktop\download\Capture_2.06.8.exe'
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Process created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe 'C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://download01.logi.com/web/ftp/pub/techsupport/capture/Capture_2.06.8.exe' Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Process created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe 'C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe' Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: D:\Projects\XSplit_git\cppcore\Components\LogitechInstallerDll\Release\LogitechInstallerDll.pdb source: Capture_2.06.8.exe, 0000000F.00000002.680914436.000000007099C000.00000002.00020000.sdmp
Source: Binary string: e:\Builds\Kamino\Kamino_2.06\2.06.8\Install\LCaptureInstallerUI\LCaptureInstallerUI\obj\x64\Release\LCaptureInstallerUI.pdb source: LCaptureInstallerUI.exe
Source: Binary string: D:\Repositories\cppcore\bin\release\x64\VHMultiWriterExt2.pdb source: VHMultiWriterExt2.exe.15.dr
Source: Binary string: DpInst.pdbH source: dpinst.exe.15.dr
Source: Binary string: DpInst.pdb source: dpinst.exe.15.dr

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 15_2_10001B18
PE file contains an invalid checksum
Source: System.dll.15.dr Static PE information: real checksum: 0x0 should be: 0xbf2a
Source: Capture_2.06.8.exe.2.dr Static PE information: real checksum: 0x71ff68a should be:
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\wget.exe Code function: 2_2_00D1ADD1 push ss; ret 2_2_00D1ADD2
Source: C:\Windows\SysWOW64\wget.exe Code function: 2_2_00D1BF14 push edx; retf 2_2_00D1BF16
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_10002DE0 push eax; ret 15_2_10002E0E
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_70991C25 push ecx; ret 15_2_70991C38
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Code function: 18_2_00508E40 push rdx; iretd 18_2_00508E42
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Code function: 18_2_00508D4F push rbx; retf 18_2_00508D57
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Code function: 18_2_00509029 pushfq ; retf 18_2_0050902D
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Code function: 18_2_00007FFAF19379A2 pushad ; retf 18_2_00007FFAF19379A9

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Tools\7z.exe Jump to dropped file
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Tools\7-zip.dll Jump to dropped file
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\nsw7AB5.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Jump to dropped file
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Tools\7z.dll Jump to dropped file
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Win7Res\dpinst.exe Jump to dropped file
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LogitechInstallerDll.dll Jump to dropped file
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\VHMultiWriterExt2.exe Jump to dropped file
Source: C:\Windows\SysWOW64\wget.exe File created: C:\Users\user\Desktop\download\Capture_2.06.8.exe Jump to dropped file
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\nsw7AB5.tmp\UserInfo.dll Jump to dropped file
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\da\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\de\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\el\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\en\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\en\License_logicool.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\es\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\fi\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\fr\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\it\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\ja\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\ko\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\nl\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\no\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\pl\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\pt-BR\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\pt-PT\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\ru\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\sv\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\zh-CN\License.rtf Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File created: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Strings\zh-TW\License.rtf Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_709918F6 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 15_2_709918F6
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Tools\7z.exe Jump to dropped file
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Tools\7-zip.dll Jump to dropped file
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Tools\7z.dll Jump to dropped file
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\Win7Res\dpinst.exe Jump to dropped file
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\VHMultiWriterExt2.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe TID: 5236 Thread sleep count: 111 > 30 Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe TID: 5236 Thread sleep time: -111000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe File Volume queried: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_0040287E FindFirstFileW, 15_2_0040287E
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_004063F1 FindFirstFileW,FindClose, 15_2_004063F1
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_0040589F GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 15_2_0040589F
Source: LCaptureInstallerUI.exe, 00000012.00000002.685429409.000000001CBA0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: wget.exe Binary or memory string: Hyper-V RAW
Source: LCaptureInstallerUI.exe, 00000012.00000002.685429409.000000001CBA0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: LCaptureInstallerUI.exe, 00000012.00000002.685429409.000000001CBA0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Capture_2.06.8.exe.2.dr Binary or memory string: hgfs?
Source: wget.exe, 00000002.00000002.352957999.0000000000D18000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: LCaptureInstallerUI.exe, 00000012.00000002.685429409.000000001CBA0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe API call chain: ExitProcess graph end node

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_709914FF IsDebuggerPresent, 15_2_709914FF
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_70994A1F EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 15_2_70994A1F
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 15_2_10001B18
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_709916BF GetProcessHeap, 15_2_709916BF
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_70992D61 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_70992D61
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Memory allocated: page read and write | page guard Jump to behavior
Source: Capture_2.06.8.exe, 0000000F.00000002.676659278.0000000000E20000.00000002.00000001.sdmp, LCaptureInstallerUI.exe, 00000012.00000002.678483080.0000000001C10000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: Capture_2.06.8.exe, 0000000F.00000002.676659278.0000000000E20000.00000002.00000001.sdmp, LCaptureInstallerUI.exe, 00000012.00000002.678483080.0000000001C10000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Capture_2.06.8.exe, 0000000F.00000002.676659278.0000000000E20000.00000002.00000001.sdmp, LCaptureInstallerUI.exe, 00000012.00000002.678483080.0000000001C10000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Capture_2.06.8.exe, 0000000F.00000002.676659278.0000000000E20000.00000002.00000001.sdmp, LCaptureInstallerUI.exe, 00000012.00000002.678483080.0000000001C10000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_7099610F cpuid 15_2_7099610F
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\wget.exe Queries volume information: C:\Users\user\Desktop\download VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Queries volume information: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemCore\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemCore.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\LogiCaptureInstall\LCaptureInstallerUI.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_7099289E GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 15_2_7099289E
Source: C:\Users\user\Desktop\download\Capture_2.06.8.exe Code function: 15_2_004060D0 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 15_2_004060D0
Source: C:\Windows\SysWOW64\wget.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 378606 URL: https://download01.logi.com... Startdate: 31/03/2021 Architecture: WINDOWS Score: 10 5 Capture_2.06.8.exe 1 96 2->5         started        8 cmd.exe 2 2->8         started        file3 18 C:\Users\user\AppData\Local\...\UserInfo.dll, PE32 5->18 dropped 20 C:\Users\user\AppData\Local\...\System.dll, PE32 5->20 dropped 22 C:\Users\user\AppData\Local\...\dpinst.exe, PE32+ 5->22 dropped 24 6 other files (none is malicious) 5->24 dropped 10 LCaptureInstallerUI.exe 2 5->10         started        12 wget.exe 2 8->12         started        16 conhost.exe 8->16         started        process4 dnsIp5 28 8.8.8.8 GOOGLEUS United States 12->28 30 13.32.25.64 ATT-INTERNET4US United States 12->30 26 C:\Users\user\Desktop\...\Capture_2.06.8.exe, PE32 12->26 dropped file6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
8.8.8.8
 unknown United States
15169 GOOGLEUS false
13.32.25.64
 unknown United States
7018 ATT-INTERNET4US false