Source: SETUP.EXE |
Static PE information: certificate valid |
Source: SETUP.EXE |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
Source: |
Binary string: d:\dbs\sh\s19s\0924_133349\cmd\h\obj\x64retail\sql\mpu\installframework\chainer\sqlsetupbootstrapper\exe\sqlsetupbootstrapper.exe.vcxproj\SqlSetupBootstrapper.pdb source: SETUP.EXE |
Source: C:\Users\user\Desktop\SETUP.EXE |
Code function: 0_2_00007FF6020D5550 FindFirstFileExW, |
0_2_00007FF6020D5550 |
Source: C:\Users\user\Desktop\SETUP.EXE |
Code function: 0_2_00007FF6020DB554 |
0_2_00007FF6020DB554 |
Source: C:\Users\user\Desktop\SETUP.EXE |
Code function: 0_2_00007FF6020D1D74 |
0_2_00007FF6020D1D74 |
Source: C:\Users\user\Desktop\SETUP.EXE |
Code function: 0_2_00007FF6020D3EF0 |
0_2_00007FF6020D3EF0 |
Source: C:\Users\user\Desktop\SETUP.EXE |
Code function: 0_2_00007FF6020D5318 |
0_2_00007FF6020D5318 |
Source: SETUP.EXE |
Binary or memory string: OriginalFilename vs SETUP.EXE |
Source: SETUP.EXE, 00000000.00000000.2004102899.00007FF6020E8000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameSqlSetupBootstrapper.exeJ vs SETUP.EXE |
Source: SETUP.EXE |
Binary or memory string: OriginalFilenameSqlSetupBootstrapper.exeJ vs SETUP.EXE |
Source: classification engine |
Classification label: clean3.winEXE@2/0@0/0 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1996:120:WilError_03 |
Source: SETUP.EXE |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\SETUP.EXE |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\SETUP.EXE "C:\Users\user\Desktop\SETUP.EXE" |
Source: C:\Users\user\Desktop\SETUP.EXE |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\SETUP.EXE |
Section loaded: sqlsetupbootstrapper.dll |
Jump to behavior |
Source: SETUP.EXE |
Static PE information: certificate valid |
Source: initial sample |
Static PE information: Valid certificate with Microsoft Issuer |
Source: SETUP.EXE |
Static PE information: Image base 0x100400000 > 0x60000000 |
Source: SETUP.EXE |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: SETUP.EXE |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: SETUP.EXE |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: SETUP.EXE |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: SETUP.EXE |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: SETUP.EXE |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: SETUP.EXE |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
Source: SETUP.EXE |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: d:\dbs\sh\s19s\0924_133349\cmd\h\obj\x64retail\sql\mpu\installframework\chainer\sqlsetupbootstrapper\exe\sqlsetupbootstrapper.exe.vcxproj\SqlSetupBootstrapper.pdb source: SETUP.EXE |
Source: SETUP.EXE |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: SETUP.EXE |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: SETUP.EXE |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: SETUP.EXE |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: SETUP.EXE |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\SETUP.EXE |
Code function: 0_2_00007FF6020D5550 FindFirstFileExW, |
0_2_00007FF6020D5550 |
Source: C:\Users\user\Desktop\SETUP.EXE |
Code function: 0_2_00007FF6020D4D58 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00007FF6020D4D58 |
Source: C:\Users\user\Desktop\SETUP.EXE |
Code function: 0_2_00007FF6020D81E0 GetProcessHeap, |
0_2_00007FF6020D81E0 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\SETUP.EXE |
Code function: 0_2_00007FF6020D4D58 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00007FF6020D4D58 |
Source: C:\Users\user\Desktop\SETUP.EXE |
Code function: 0_2_00007FF6020D1C88 SetUnhandledExceptionFilter, |
0_2_00007FF6020D1C88 |
Source: C:\Users\user\Desktop\SETUP.EXE |
Code function: 0_2_00007FF6020D1AD4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00007FF6020D1AD4 |
Source: C:\Users\user\Desktop\SETUP.EXE |
Code function: 0_2_00007FF6020D14B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00007FF6020D14B8 |
Source: C:\Users\user\Desktop\SETUP.EXE |
Code function: 0_2_00007FF6020DB380 cpuid |
0_2_00007FF6020DB380 |
Source: C:\Users\user\Desktop\SETUP.EXE |
Code function: 0_2_00007FF6020D1938 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
0_2_00007FF6020D1938 |