Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:	Setup.exe
Analysis ID:	1532549
MD5:	08aba4235f18775205a1705d89676705
SHA1:	d25fc234125ed0cb49608309a842043b7acc2e86
SHA256:	f8c59bf2647bc5ad0b69428864ac9b02cf4695a20130a6b171701285195c3c9f
Infos:

Detection

Score:	7
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

Uses 32bit PE files

Source: Setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Setup.exe

File created: C:\Users\user\AppData\Local\Temp\PatchInstaller.Log

Jump to behavior

Source: Setup.exe

Static PE information: certificate valid

Source: Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: E:\AzAgent\_work\13\s\Install\Fuse2\SupportFiles\Setup\Aventa_Release\Setup.pdb source: Setup.exe

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00E12D30 GetModuleFileNameW,GetLongPathNameW,GetFileAttributesW,wsprintfW,wsprintfW,wsprintfW,GetFileAttributesW,wsprintfW,wsprintfW,FindFirstFileW,FindClose,SHGetFolderPathW,SHGetFolderPathW,GetLastError,FormatMessageW,wsprintfW,wsprintfW,SHGetFolderPathW,SHGetFolderPathW,GetLastError,FormatMessageW,	0_2_00E12D30
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00E1A560 wsprintfW,FindFirstFileW,FindClose,wsprintfW,Sleep,GetFileAttributesW,SetFileAttributesW,SetFileAttributesW,SetFileAttributesW,CopyFileW,wsprintfW,GetLastError,FormatMessageW,	0_2_00E1A560
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00E15DD0 wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,SetFileAttributesW,SetFileAttributesW,CopyFileW,wsprintfW,GetFileAttributesW,SetFileAttributesW,SetFileAttributesW,GetLastError,FormatMessageW,FindClose,	0_2_00E15DD0

Source: Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Setup.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Setup.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: Setup.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: Setup.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Setup.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Setup.exe	String found in binary or memory: http://www.digicert.com/CPS0

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00E121A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

0_2_00E121A0

Detected potential crypto function

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00E150F0	0_2_00E150F0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00E2A259	0_2_00E2A259
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00E264EF	0_2_00E264EF
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00E3A699	0_2_00E3A699
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00E2A671	0_2_00E2A671
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00E3884F	0_2_00E3884F
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00E2D9F8	0_2_00E2D9F8
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00E2AAA6	0_2_00E2AAA6
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00E29CB0	0_2_00E29CB0
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00E2DC27	0_2_00E2DC27
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00E29D5D	0_2_00E29D5D
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00E2AEDB	0_2_00E2AEDB
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00E31F40	0_2_00E31F40

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 00E15020 appears 103 times
Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 00E27620 appears 48 times

Uses 32bit PE files

Source: Setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean7.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00E12D30 GetModuleFileNameW,GetLongPathNameW,GetFileAttributesW,wsprintfW,wsprintfW,wsprintfW,GetFileAttributesW,wsprintfW,wsprintfW,FindFirstFileW,FindClose,SHGetFolderPathW,SHGetFolderPathW,GetLastError,FormatMessageW,wsprintfW,wsprintfW,SHGetFolderPathW,SHGetFolderPathW,GetLastError,FormatMessageW,

0_2_00E12D30

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00E121A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

0_2_00E121A0

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00E114B0 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,

0_2_00E114B0

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00E1A9B0 VariantClear,SysAllocString,CoCreateInstance,MessageBoxW,VariantClear,

0_2_00E1A9B0

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00E23070 LoadResource,LockResource,SizeofResource,

0_2_00E23070

Source: C:\Users\user\Desktop\Setup.exe

File created: C:\Users\user\AppData\Local\Temp\PatchInstaller.Log

Jump to behavior

Source: Setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Setup.exe	String found in binary or memory: /install /passive /norestart
Source: Setup.exe	String found in binary or memory: appSettings/add[@key='DevOpsEventId']
Source: Setup.exe	String found in binary or memory: /install /quiet /norestart
Source: Setup.exe	String found in binary or memory: appSettings/add[@key='DevOpsUpdatedProductVersion']
Source: Setup.exe	String found in binary or memory: appSettings/add[@key='Market']
Source: Setup.exe	String found in binary or memory: appSettings/add[@key='AllowRemoteServices']
Source: Setup.exe	String found in binary or memory: SeShutdownPrivilegePatchInstaller.LogC:\PatchInstaller.logSetupCould not create log file.FilesPatchesm_szSrcDir: %sm_szPatchDir: %sMarkets\Markets.xmlInformation : Patch Folder ExistsXml Used as %s*.mspInformation : No patch ExistsInvoking Full Install..._isstub.exe COUNTRY /v"COUNTRY=%s"STANDALONEVA /v"STANDALONE=Yes" /v"REBOOT=Force"WEB /v"MEDIATYPE=%s" /v"/qr"01 /v"ALLOWREMOTESERVICES=%s" /v"UNCHECKREMOTESERVICES=%s" -LInstallShield exe Launch call succeeded.InstallShield exe Launch call failed.InstallShield Invoke ExitCode: %luUser cancelled operation.Not all GNWeb params have a value to invoke GNWeb. Check log.SOFTWARE\ReSound\Aventa3MarketBrand registry key not found or could not open: 'HKLM\%s'. dwRes=%luVersionMajorVersionMinorVersionVersionStringVerMajor=%s, VerMinor=%s, Version=%s, VersionString=%sCaching config values...ReSound.Fuse2.Config.dll.configConfig file: '%s'appSettings/add[@key='DevOpsEventId']valuevalue attribute missing for DevOps EventIDappSettings/add[@key='Market']value attribute missing for MarketappSettings/add[@key='DevOpsUpdatedProductVersion']value attribute missing for DevOps Product VersionappSettings/add[@key='AllowRemoteServices']value attribute missing for AllowRemoteServicesFailed to get xml document element...Failed to load config file...EventId: '%s' Market: '%s' ApiProductVersion: '%s' AllowRemoteServices: '%s'Invoking GNWeb...%luError: Exception while setting DevOpsErrorMessage

Source: C:\Users\user\Desktop\Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5078F32-C551-11D3-89B9-0000F81FE221}\InProcServer32

Jump to behavior

Source: Setup.exe

Static PE information: certificate valid

Source: Setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Setup.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: E:\AzAgent\_work\13\s\Install\Fuse2\SupportFiles\Setup\Aventa_Release\Setup.pdb source: Setup.exe

Source: Setup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Setup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Setup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Setup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Setup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00E27169 push ecx; ret	0_2_00E2717C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00E27666 push ecx; ret	0_2_00E27679
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00E3F8CF push dword ptr [esp+ecx-75h]; iretd	0_2_00E3F8D3

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00E1CA80 GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,

0_2_00E1CA80

Source: C:\Users\user\Desktop\Setup.exe

File created: C:\Users\user\AppData\Local\Temp\PatchInstaller.Log

Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00E264EF GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00E264EF

Source: C:\Users\user\Desktop\Setup.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\Setup.exe

Evasive API call chain: GetLocalTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\Setup.exe

API coverage: 7.6 %

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00E12D30 GetModuleFileNameW,GetLongPathNameW,GetFileAttributesW,wsprintfW,wsprintfW,wsprintfW,GetFileAttributesW,wsprintfW,wsprintfW,FindFirstFileW,FindClose,SHGetFolderPathW,SHGetFolderPathW,GetLastError,FormatMessageW,wsprintfW,wsprintfW,SHGetFolderPathW,SHGetFolderPathW,GetLastError,FormatMessageW,	0_2_00E12D30
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00E1A560 wsprintfW,FindFirstFileW,FindClose,wsprintfW,Sleep,GetFileAttributesW,SetFileAttributesW,SetFileAttributesW,SetFileAttributesW,CopyFileW,wsprintfW,GetLastError,FormatMessageW,	0_2_00E1A560
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00E15DD0 wsprintfW,wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,SetFileAttributesW,SetFileAttributesW,CopyFileW,wsprintfW,GetFileAttributesW,SetFileAttributesW,SetFileAttributesW,GetLastError,FormatMessageW,FindClose,	0_2_00E15DD0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00E273D6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00E273D6

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00E1D1A0 CreateMutexW,GetLastError,#113,#113,OutputDebugStringW,OutputDebugStringW,MsgWaitForMultipleObjects,MsgWaitForMultipleObjects,PeekMessageW,PeekMessageW,MsgWaitForMultipleObjects,CloseHandle,OutputDebugStringW,OutputDebugStringW,#113,

0_2_00E1D1A0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00E331F9 mov eax, dword ptr fs:[00000030h]

0_2_00E331F9

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00E3A256 GetProcessHeap,

0_2_00E3A256

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00E273D6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E273D6
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00E27568 SetUnhandledExceptionFilter,	0_2_00E27568
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00E2767B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00E2767B
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00E2BEA1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E2BEA1

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00E278E7 cpuid

0_2_00E278E7

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\Setup.exe	Code function: GetLocaleInfoW,	0_2_00E380C7
Source: C:\Users\user\Desktop\Setup.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_00E3E1B7
Source: C:\Users\user\Desktop\Setup.exe	Code function: EnumSystemLocalesW,	0_2_00E3E47A
Source: C:\Users\user\Desktop\Setup.exe	Code function: EnumSystemLocalesW,	0_2_00E3E42F
Source: C:\Users\user\Desktop\Setup.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00E3E5A2
Source: C:\Users\user\Desktop\Setup.exe	Code function: EnumSystemLocalesW,	0_2_00E3E515
Source: C:\Users\user\Desktop\Setup.exe	Code function: GetLocaleInfoW,	0_2_00E3E7F2
Source: C:\Users\user\Desktop\Setup.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00E3E91B
Source: C:\Users\user\Desktop\Setup.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00E3EAEF
Source: C:\Users\user\Desktop\Setup.exe	Code function: GetLocaleInfoW,	0_2_00E3EA22
Source: C:\Users\user\Desktop\Setup.exe	Code function: EnumSystemLocalesW,	0_2_00E37CD4

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00E15020 wsprintfW,GetLocalTime,

0_2_00E15020

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00E11070 GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,GetVersionExW,GetTokenInformation,GetTokenInformation,GetTokenInformation,DuplicateToken,CreateWellKnownSid,CheckTokenMembership,GetLastError,CloseHandle,CloseHandle,CloseHandle,

0_2_00E11070

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1532549
Product:	CloudBasic
Start time:	16:58:04
Start date:	13.10.2024
Sample:	Setup.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	08aba4235f18775205a1705d89676705
SHA1:	d25fc234125ed0cb49608309a842043b7acc2e86
SHA256:	f8c59bf2647bc5ad0b69428864ac9b02cf4695a20130a6b171701285195c3c9f
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
Setup.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report Setup.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
Setup.exe