Edit tour

Windows Analysis Report
LocalPlayback.exe

Overview

General Information

Sample name:	LocalPlayback.exe
Analysis ID:	1541117
MD5:	ef3eafbf2d877473b2802e1add2857ad
SHA1:	c60a150229844a0f1822556700c6a8cefd683a30
SHA256:	88fcc295ae1a01ca93de900d4fd56411dbf197453d07e2c109faa714558bf81b
Infos:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Compliance

Score:	49
Range:	0 - 100

Signatures

PE file has a writeable .text section

Registers a new ROOT certificate

Checks for available system drives (often done to infect USB drives)

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Use Short Name Path in Command Line

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

LocalPlayback.exe (PID: 1412 cmdline: "C:\Users\user\Desktop\LocalPlayback.exe" MD5: EF3EAFBF2D877473B2802E1ADD2857AD)

ISBEW64.exe (PID: 7172 cmdline: C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0F60EF52-B8AE-4C65-B672-4ECBA9C7EF64} MD5: 1AE40C548AE265EFF8D25EA7538A5196)

ISBEW64.exe (PID: 7204 cmdline: C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DEBE9773-6CCB-402A-A045-44F23FC2C3BA} MD5: 1AE40C548AE265EFF8D25EA7538A5196)

ISBEW64.exe (PID: 7236 cmdline: C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E46B7176-3FFC-40C6-B559-180C9F23E714} MD5: 1AE40C548AE265EFF8D25EA7538A5196)

ISBEW64.exe (PID: 7268 cmdline: C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E5BF0CED-81A6-4ECC-9E75-24C1C03367D2} MD5: 1AE40C548AE265EFF8D25EA7538A5196)

ISBEW64.exe (PID: 7300 cmdline: C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{83415305-25EC-4DB0-8231-2F0B7AC0579F} MD5: 1AE40C548AE265EFF8D25EA7538A5196)

ISBEW64.exe (PID: 7400 cmdline: C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3309AE38-3356-4998-B51D-DDEA1CA316CD} MD5: 1AE40C548AE265EFF8D25EA7538A5196)

vcredist_x86.exe (PID: 8120 cmdline: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe /q MD5: 0FC525B6B7B96A87523DAA7A0013C69D)

vcredist_x86.exe (PID: 7224 cmdline: "C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe" /q -burn.unelevated BurnPipe.{DBEA4BDC-32D1-4571-8C40-9D2304124BE9} {91C7A57E-FB61-4624-AACC-1188F529C9A7} 8120 MD5: 0FC525B6B7B96A87523DAA7A0013C69D)

msiexec.exe (PID: 7236 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

vcredist_x64_2013.exe (PID: 1876 cmdline: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe /q MD5: 385194EB89B6741781CB9065D8E8158E)

vcredist_x64_2013.exe (PID: 6008 cmdline: "C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe" /q -burn.unelevated BurnPipe.{0942DD9A-AF4A-432E-BD2D-A92FFBEDB9E9} {F3730AF5-9EE5-4B54-A568-50E8BA9679B4} 1876 MD5: 385194EB89B6741781CB9065D8E8158E)

LocalPlayback.exe (PID: 5600 cmdline: "C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe" MD5: 7DE44B22F47E7F2B625C6A3611FE7471)

SrTasks.exe (PID: 8088 cmdline: C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1 MD5: 2694D2D28C368B921686FE567BD319EB)

conhost.exe (PID: 8104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vcredist_x86.exe (PID: 4376 cmdline: "C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe" /burn.runonce MD5: 2335AB0C0E19C0EF416D07DF66FEE649)

vcredist_x86.exe (PID: 4704 cmdline: "C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe" MD5: 2335AB0C0E19C0EF416D07DF66FEE649)

cleanup

Sigma Signatures

System Summary

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0F60EF52-B8AE-4C65-B672-4ECBA9C7EF64}, CommandLine: C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0F60EF52-B8AE-4C65-B672-4ECBA9C7EF64}, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe, ParentCommandLine: "C:\Users\user\Desktop\LocalPlayback.exe", ParentImage: C:\Users\user\Desktop\LocalPlayback.exe, ParentProcessId: 1412, ParentProcessName: LocalPlayback.exe, ProcessCommandLine: C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0F60EF52-B8AE-4C65-B672-4ECBA9C7EF64}, ProcessId: 7172, ProcessName: ISBEW64.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe" /burn.runonce, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe, ProcessId: 8120, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{f65db027-aff3-4070-886a-0d87064aabb1}

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T13:01:17.260694+0200	2803305	3	Unknown Traffic	192.168.2.7	49983	49.51.129.211	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_0045439B __EH_prolog3_GS,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,CryptHashData,CryptHashData,GetLastError,_memmove,CryptImportPublicKeyInfo,GetLastError,CryptVerifySignatureW,	2_2_0045439B
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_00453F68 __EH_prolog3_GS,CryptAcquireCertificatePrivateKey,GetLastError,CryptCreateHash,GetLastError,CryptHashData,CryptHashData,CryptHashData,CryptSignHashW,CryptSignHashW,CryptSignHashW,GetLastError,GetLastError,WriteFile,WriteFile,WriteFile,	2_2_00453F68
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Code function: 19_2_00447378 _memset,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,ReadFile,CryptHashData,ReadFile,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,GetLastError,CryptDestroyHash,CryptReleaseContext,	19_2_00447378
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Code function: 19_2_00428101 CryptHashPublicKeyInfo,GetLastError,	19_2_00428101
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Code function: 19_2_00428386 DecryptFileW,	19_2_00428386
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Code function: 19_2_00427E2A _memset,CryptCATAdminCalcHashFromFileHandle,GetLastError,GetLastError,CryptCATAdminCalcHashFromFileHandle,GetLastError,WinVerifyTrust,WinVerifyTrust,WinVerifyTrust,	19_2_00427E2A
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Code function: 22_2_003E7378 _memset,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,ReadFile,CryptHashData,ReadFile,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,GetLastError,CryptDestroyHash,CryptReleaseContext,	22_2_003E7378
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Code function: 22_2_003C8101 CryptHashPublicKeyInfo,GetLastError,	22_2_003C8101
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Code function: 22_2_003C8386 DecryptFileW,	22_2_003C8386
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Code function: 22_2_003C7E2A _memset,CryptCATAdminCalcHashFromFileHandle,GetLastError,GetLastError,CryptCATAdminCalcHashFromFileHandle,GetLastError,WinVerifyTrust,WinVerifyTrust,WinVerifyTrust,	22_2_003C7E2A
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Code function: 27_2_00F28386 DecryptFileW,	27_2_00F28386
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Code function: 27_2_00F28101 CryptHashPublicKeyInfo,GetLastError,	27_2_00F28101
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Code function: 27_2_00F47378 _memset,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,ReadFile,CryptHashData,ReadFile,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,GetLastError,CryptDestroyHash,CryptReleaseContext,	27_2_00F47378
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Code function: 27_2_00F27E2A _memset,CryptCATAdminCalcHashFromFileHandle,GetLastError,GetLastError,CryptCATAdminCalcHashFromFileHandle,GetLastError,WinVerifyTrust,WinVerifyTrust,WinVerifyTrust,	27_2_00F27E2A

Source: LocalPlayback.exe, 0000001E.00000002.2571774893.000000006B4F0000.00000002.00000001.01000000.00000021.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_66f99156-0

Compliance

Uses 32bit PE files

Source: LocalPlayback.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Creates a software uninstall entry

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}

Creates license or readme file

Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	File created: C:\Users\user~1\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\license.rtf
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	File created: C:\Users\user~1\AppData\Local\Temp\{1b103cea-f037-4504-81de-956057b442c3}\.ba1\license.rtf
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	File created: C:\Users\user~1\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\license.rtf
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	File created: C:\Users\user~1\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\license.rtf

PE / OLE file has a valid certificate

Source: LocalPlayback.exe

Static PE information: certificate valid

Uses new MSVCR Dlls

Source: C:\Users\user\Desktop\LocalPlayback.exe

File opened: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\msvcr90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: Nsd.pdb' source: LocalPlayback.exe, 0000001E.00000002.2555626033.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\jenkins\workspace\APP_Package_Tool_BaseLine_Tools3\code\target\vs2013\ToolShareModule\ToolShareModule.pdb source: LocalPlayback.exe, 0000001E.00000002.2575260611.000000006C8F8000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: .pdb? source: LocalPlayback.exe, 0000001E.00000002.2555626033.0000000000A91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Project\2018NewVersionTools\UpgradeTool\code\target\UpgradeTool\Upgrade.pdb source: LocalPlayback.exe, 0000001E.00000002.2574995176.000000006C8CA000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: qddsd.pdbEScritOpedm source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\ISP\setup.pdb source: LocalPlayback.exe, 00000002.00000000.1288293705.00000000004AD000.00000002.00000001.01000000.00000004.sdmp, LocalPlayback.exe, 00000002.00000002.2430910825.00000000004AD000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: qtgad.pdbEScritOped source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\imageformats\qwbmpd.pdb source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2424912060.0000000005C0D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: `C:\Program Files (x86)\LocalPlayback\Standard\\sqlpsql.pdb source: LocalPlayback.exe, 00000002.00000003.2198507434.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2171020004.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2436234286.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2196692354.0000000005C50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\platforms\qwindowsd.pdbbddll} source: LocalPlayback.exe, 00000002.00000003.2171020004.0000000005C50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\jenkins\workspace\APP_Package_Tool_BaseLine_Tools3\code\target\VS2013\ToolGuiToolkit\ToolGuiToolkit.pdb source: LocalPlayback.exe, 0000001E.00000002.2573472697.000000006BE0A000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: C:/Program Files (x86)/LocalPlayback/imageformats/qwbmp.dll.pdb source: LocalPlayback.exe, 0000001E.00000002.2555626033.0000000000A91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: `C:\Program Files (x86)\LocalPlayback\plugins\\indowsd.pdbws.ll source: LocalPlayback.exe, 00000002.00000003.2198507434.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2171020004.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2436234286.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2196692354.0000000005C50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\imageformats\qgifd.pdbl source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2424912060.0000000005C0D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Project\2018NewVersionTools\UpgradeTool\code\target\UpgradeTool\Upgrade.pdb(( source: LocalPlayback.exe, 0000001E.00000002.2574995176.000000006C8CA000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: \??\C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqlmysqld.pdbltmpI source: LocalPlayback.exe, 00000002.00000003.2169399913.0000000005A92000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435360519.0000000005A92000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2427166168.0000000005A92000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xC:\Program Files (x86)\LocalPlayback\imageformats\qwbmpd.pdb. source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\PROJ\hpr\hpr_svn\lib\vs2008\hpr.pdb source: LocalPlayback.exe, 0000001E.00000002.2572733998.000000006BB42000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: qwebpd.pdbScritOped source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\imageformats\qwebpd.pdb source: LocalPlayback.exe, 00000002.00000003.2198507434.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2171020004.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2436234286.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2196692354.0000000005C50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qwbmpd.pdbScritOpedJ;^ source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: `C:\Program Files (x86)\LocalPlayback\plugins\\indowsd.pdb source: LocalPlayback.exe, 00000002.00000003.2198507434.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2171020004.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2436234286.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2196692354.0000000005C50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\delivery\Dev\wix37\build\ship\x86\WixStdBA.pdbH source: vcredist_x86.exe, 0000001C.00000002.2561765338.00000000700E5000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: qminimald.pdbritOped&;2 source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\imageformats\qtiffd.pdb source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 0000001E.00000003.2190142052.0000000000B48000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb source: vcredist_x86.exe, 00000013.00000000.1787811525.000000000044A000.00000002.00000001.01000000.0000000F.sdmp, vcredist_x86.exe, 00000013.00000002.1873216538.000000000044A000.00000002.00000001.01000000.0000000F.sdmp, vcredist_x86.exe, 00000013.00000003.1807866305.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, vcredist_x86.exe, 00000014.00000002.1873113180.000000000044A000.00000002.00000001.01000000.0000000F.sdmp, vcredist_x86.exe, 00000014.00000000.1791920978.000000000044A000.00000002.00000001.01000000.0000000F.sdmp, vcredist_x64_2013.exe, 00000016.00000002.1937952943.00000000003EA000.00000002.00000001.01000000.00000013.sdmp, vcredist_x64_2013.exe, 00000016.00000000.1876182782.00000000003EA000.00000002.00000001.01000000.00000013.sdmp, vcredist_x64_2013.exe, 00000017.00000002.1938343186.00000000003EA000.00000002.00000001.01000000.00000013.sdmp, vcredist_x64_2013.exe, 00000017.00000000.1877246310.00000000003EA000.00000002.00000001.01000000.00000013.sdmp, vcredist_x86.exe, 0000001B.00000002.1943499977.0000000000F4A000.00000002.00000001.01000000.00000015.sdmp, vcredist_x86.exe, 0000001B.00000000.1932728808.0000000000F4A000.00000002.00000001.01000000.00000015.sdmp, vcredist_x86.exe, 0000001C.00000002.2559508643.0000000000F4A000.00000002.00000001.01000000.00000015.sdmp, vcredist_x86.exe, 0000001C.00000000.1936608719.0000000000F4A000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:/Program Files (x86)/LocalPlayback/imageformats/qjpegd.pdb source: LocalPlayback.exe, 0000001E.00000003.2190142052.0000000000B48000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\jenkins\workspace\APP_Package_Tool_BaseLine_Tools3\code\target\VS2013\LocalPlayback\LocalPlayback.pdb source: LocalPlayback.exe, 0000001E.00000000.2168265549.0000000000D2C000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\jenkins\workspace\APP_Compiler_SDK_HDFile_Win32\win\VS2013\Release\HDFileSDK.pdb source: LocalPlayback.exe, 0000001E.00000002.2573042521.000000006BCCB000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\imageformats\qwbmpd.pdbw source: LocalPlayback.exe, 00000002.00000003.2198507434.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2171020004.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2436234286.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2196692354.0000000005C50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\jenkins\workspace\APP_Package_Tool_BaseLine_Tools3\code\target\vs2013\CommonSkin\CommonSkin.pdb source: LocalPlayback.exe, 0000001E.00000002.2568990669.000000006ADBD000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: E:\delivery\Dev\wix37\build\ship\x86\WixStdBA.pdb source: vcredist_x86.exe, 0000001C.00000002.2561765338.00000000700E5000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: qwbmpd.pdbXP1 source: LocalPlayback.exe, 0000001E.00000002.2555626033.0000000000A91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\imageformats\qicod.pdbcod.llb source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqlmysqld.pdb.lll source: LocalPlayback.exe, 00000002.00000003.2198507434.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2171020004.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2436234286.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2196692354.0000000005C50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\work\SuperRender\0000000\bin\win32\Private_PDB32\SuperRender.pdb8 ' source: LocalPlayback.exe, 0000001E.00000002.2561255132.0000000001267000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: qwindowsd.pdbritOped source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\platforms\qoffscreend.pdb source: LocalPlayback.exe, 00000002.00000003.2198507434.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2171020004.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2436234286.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2196692354.0000000005C50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\delivery\Dev\wix37\build\ship\x86\WixDepCA.pdb source: vcredist_x86.exe, 00000013.00000003.1819940196.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, vcredist_x86.exe, 00000013.00000003.1815835578.0000000000F56000.00000004.00000020.00020000.00000000.sdmp, vcredist_x64_2013.exe, 00000016.00000003.1898813039.0000000000953000.00000004.00000020.00020000.00000000.sdmp, vcredist_x64_2013.exe, 00000016.00000003.1901279866.000000000098E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:/Program Files (x86)/LocalPlayback/imageformats/qwebp.dll.pdb source: LocalPlayback.exe, 0000001E.00000002.2555626033.0000000000A91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\jenkins\workspace\APP_Package_SDK_HCNetUtils_win32\common\HCNetUtils\win32\lib\HCNetUtils.pdb source: LocalPlayback.exe, 0000001E.00000002.2570472714.000000006B205000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: C:/Program Files (x86)/LocalPlayback/imageformats/qwebpd.pdb source: LocalPlayback.exe, 0000001E.00000003.2190142052.0000000000B48000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:/Program Files (x86)/LocalPlayback/imageformats/qwbmpd.pdbt source: LocalPlayback.exe, 0000001E.00000003.2190142052.0000000000B48000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqlited.pdbb source: LocalPlayback.exe, 00000002.00000003.2171020004.0000000005C50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\imageformats\qwbmpd.pdb.dldbA source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\work\SuperRender\0000000\bin\win32\Private_PDB32\SuperRender.pdb source: LocalPlayback.exe, 0000001E.00000002.2561255132.0000000001267000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: C:/Program Files (x86)/LocalPlayback/imageformats/qtiff.dll.pdb source: LocalPlayback.exe, 0000001E.00000002.2555626033.0000000000A91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qicnsd.pdbScritOped source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: _isres_0x0409.dlllayout.bindata1.hdrdata1.cabsetup.exeISSetup.dll0x0804.ini0x0409.inisetup.iniAnalyzeData.dllAudioRender.dllcalib.dllD3DCompiler_43.dllD3DX9_43.dllEagleEyeRender.dllgdiplus.dllHCCore.dllHCNetSDK.dllHCNetUtils.dllHDFileSDK.dllhpr.dllHWDecode.dlliconv.dlllibxml2.dllLocalPlayback.exeLocalPlayback.ism.771LocalXml.zipMP_Render.dllMP_VIE.dllOpenAL32.dllPlayCtrl.dllQt5Core.dllQt5Gui.dllQt5Network.dllQt5PrintSupport.dllQt5Widgets.dllQt5Xml.dllSettings.xmlSuperRender.dllToolGuiToolkit.dllToolShareModule.dllToolShareModule.libUpgrade.dllUpgrade.xmlYUVProcess.dllzlib1.dllAudioIntercom.dllDsSdk.dllHCAlarm.dllHCAlarm.libHCCoreDevCfg.dllHCDisplay.dllHCGeneralCfgMgr.dllHCGeneralCfgMgr.libHCIndustry.dllHCPlayBack.dllHCPreview.dllHCPreview.libHCVoiceTalk.dlllibiconv2.dllmsvcr90.dllStreamTransClient.dllSystemTransform.dllqdds.dllqddsd.dllqddsd.pdbqgif.dllqgifd.dllqgifd.pdbqicns.dllqicnsd.dllqicnsd.pdbqico.dllqicod.dllqicod.pdbqjpeg.dllqjpegd.dllqjpegd.pdbqsvg.dllqsvgd.dllqsvgd.pdbqtga.dllqtgad.dllqtgad.pdbqtiff.dllqtiffd.dllqtiffd.pdbqwbmp.dllqwbmpd.dllqwbmpd.pdbqwebp.dllqwebpd.dllqwebpd.pdbqminimal.dllqminimald.dllqminimald.pdbqoffscreen.dllqoffscreend.dllqoffscreend.pdbqwindows.dllqwindowsd.dllqwindowsd.pdbqsqlite.dllqsqlited.dllqsqlited.pdbqsqlmysql.dllqsqlmysqld.dllqsqlmysqld.pdbqsqlpsql.dllqsqlpsqld.dllqsqlpsqld.pdbLocalPlayback_en.qmLocalPlayBack_en.tsLocalPlayback_zh.qmLocalPlayBack_zh.tsqt_en.qmqt_zh_CN.qmToolGuiToolkit_en.qmToolGuiToolkit_en.tsToolGuiToolkit_zh.qmToolGuiToolkit_zh.tsToolShareModule_en.qmToolShareModule_en.tsToolShareModule_zh.qmToolShareModule_zh.ts,g0W source: LocalPlayback.exe, 00000002.00000003.2197605938.0000000000855000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: LocalPlayback.exe, 00000002.00000003.1328776964.000000000087D000.00000004.00000020.00020000.00000000.sdmp, ISBEW64.exe, 00000006.00000002.2196188784.00007FF75D277000.00000002.00000001.01000000.0000000C.sdmp, ISBEW64.exe, 00000006.00000000.1332346457.00007FF75D277000.00000002.00000001.01000000.0000000C.sdmp, ISBEW64.exe, 00000007.00000002.1335450557.00007FF75D277000.00000002.00000001.01000000.0000000C.sdmp, ISBEW64.exe, 00000007.00000000.1333414243.00007FF75D277000.00000002.00000001.01000000.0000000C.sdmp, ISBEW64.exe, 00000008.00000000.1334155324.00007FF75D277000.00000002.00000001.01000000.0000000C.sdmp, ISBEW64.exe, 00000008.00000002.1336690488.00007FF75D277000.00000002.00000001.01000000.0000000C.sdmp, ISBEW64.exe, 00000009.00000002.1338208405.00007FF75D277000.00000002.00000001.01000000.0000000C.sdmp, ISBEW64.exe, 00000009.00000000.1334838319.00007FF75D277000.00000002.00000001.01000000.0000000C.sdmp, ISBEW64.exe, 0000000A.00000000.1335823221.00007FF75D277000.00000002.00000001.01000000.0000000C.sdmp, ISBEW64.exe, 0000000A.00000002.1338230664.00007FF75D277000.00000002.00000001.01000000.0000000C.sdmp, ISBEW64.exe, 0000000B.00000002.2171021829.00007FF75D277000.00000002.00000001.01000000.0000000C.sdmp, ISBEW64.exe, 0000000B.00000000.1389523104.00007FF75D277000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\imageformats\qsvgd.pdbpg.llg source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qgifd.pdbEScritOpedn;z source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: setup.inxlicense.rtfSetup.xmlvcredist_x64_2013.exevcredist_x86.exeFontData.iniDIFxData.inicorecomp.inidotnetinstaller.exedotnetinstaller.exe.configISBEW64.exeStringTable_0x0804.ipsStringTable_0x0409.ipsisrt.dlldefault.pal_isres_0x0804.dll_isres_0x0409.dlllayout.bindata1.hdrdata1.cabsetup.exeISSetup.dll0x0804.ini0x0409.inisetup.iniAnalyzeData.dllAudioRender.dllcalib.dllD3DCompiler_43.dllD3DX9_43.dllEagleEyeRender.dllgdiplus.dllHCCore.dllHCNetSDK.dllHCNetUtils.dllHDFileSDK.dllhpr.dllHWDecode.dlliconv.dlllibxml2.dllLocalPlayback.exeLocalPlayback.ism.771LocalXml.zipMP_Render.dllMP_VIE.dllOpenAL32.dllPlayCtrl.dllQt5Core.dllQt5Gui.dllQt5Network.dllQt5PrintSupport.dllQt5Widgets.dllQt5Xml.dllSettings.xmlSuperRender.dllToolGuiToolkit.dllToolShareModule.dllToolShareModule.libUpgrade.dllUpgrade.xmlYUVProcess.dllzlib1.dllAudioIntercom.dllDsSdk.dllHCAlarm.dllHCAlarm.libHCCoreDevCfg.dllHCDisplay.dllHCGeneralCfgMgr.dllHCGeneralCfgMgr.libHCIndustry.dllHCPlayBack.dllHCPreview.dllHCPreview.libHCVoiceTalk.dlllibiconv2.dllmsvcr90.dllStreamTransClient.dllSystemTransform.dllqdds.dllqddsd.dllqddsd.pdbqgif.dllqgifd.dllqgifd.pdbqicns.dllqicnsd.dllqicnsd.pdbqico.dllqicod.dllqicod.pdbqjpeg.dllqjpegd.dllqjpegd.pdbqsvg.dllqsvgd.dllqsvgd.pdbqtga.dllqtgad.dllqtgad.pdbqtiff.dllqtiffd.dllqtiffd.pdbqwbmp.dllqwbmpd.dllqwbmpd.pdbqwebp.dllqwebpd.dllqwebpd.pdbqminimal.dllqminimald.dllqminimald.pdbqoffscreen.dllqoffscreend.dllqoffscreend.pdbqwindows.dllqwindowsd.dllqwindowsd.pdbqsqlite.dllqsqlited.dllqsqlited.pdbqsqlmysql.dllqsqlmysqld.dllqsqlmysqld.pdbqsqlpsql.dllqsqlpsqld.dllqsqlpsqld.pdbLocalPlayback_en.qmLocalPlayBack_en.tsLocalPlayback_zh.qmLocalPlayBack_zh.tsqt_en.qmqt_zh_CN.qmToolGuiToolkit_en.qmToolGuiToolkit_en.tsToolGuiToolkit_zh.qmToolGuiToolkit_zh.tsToolShareModule_en.qmToolShareModule_en.tsToolShareModule_zh.qmToolShareModule_zh.ts,g0W source: LocalPlayback.exe, 00000002.00000003.2174730969.0000000000844000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2196340763.000000000084F000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2188207802.0000000000844000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qsqlited.pdbcritOped source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\imageformats\qwebpd.pdbimage/~ source: LocalPlayback.exe, 0000001E.00000003.2190142052.0000000000B48000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqlpsqld.pdb@ source: LocalPlayback.exe, 00000002.00000003.2198507434.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2171020004.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2436234286.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2196692354.0000000005C50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qsqlpsqld.pdbritOped$%4 source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\imageformats\qicnsd.pdbrmdlll source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\imageformats\qddsd.pdbformdll source: LocalPlayback.exe, 00000002.00000003.2198116230.000000000082E000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2189404783.000000000082C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\imageformats\qtgad.pdbp.dl source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /LocalPlayback/imageformats/qwebpd.pdb' source: LocalPlayback.exe, 0000001E.00000002.2555626033.0000000000A91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\AudioRender0\WindowsAudio2\bin\win32\Private_PDB32\AudioRender.pdb =k source: LocalPlayback.exe, 0000001E.00000002.2571115843.000000006B3C9000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: qsvgd.pdbEScritOped source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :/aptui/complex/Images/System/Complex/date.pngtgad.pdb source: LocalPlayback.exe, 0000001E.00000002.2555626033.0000000000A91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qsqlmysqld.pdbtOpedX:P source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb@F source: vcredist_x86.exe, 00000013.00000000.1787811525.000000000044A000.00000002.00000001.01000000.0000000F.sdmp, vcredist_x86.exe, 00000013.00000002.1873216538.000000000044A000.00000002.00000001.01000000.0000000F.sdmp, vcredist_x86.exe, 00000014.00000002.1873113180.000000000044A000.00000002.00000001.01000000.0000000F.sdmp, vcredist_x86.exe, 00000014.00000000.1791920978.000000000044A000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: kqsvgd.pdb source: LocalPlayback.exe, 0000001E.00000002.2555626033.0000000000A91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb@E source: vcredist_x86.exe, 00000013.00000003.1807866305.0000000000F47000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb@@ source: vcredist_x64_2013.exe, 00000016.00000002.1937952943.00000000003EA000.00000002.00000001.01000000.00000013.sdmp, vcredist_x64_2013.exe, 00000016.00000000.1876182782.00000000003EA000.00000002.00000001.01000000.00000013.sdmp, vcredist_x64_2013.exe, 00000017.00000002.1938343186.00000000003EA000.00000002.00000001.01000000.00000013.sdmp, vcredist_x64_2013.exe, 00000017.00000000.1877246310.00000000003EA000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\jenkins\workspace\APP_Package_Tool_BaseLine_Tools3\code\target\vs2013\CommonSkin\CommonStyle.pdb source: LocalPlayback.exe, 0000001E.00000002.2575854670.000000006FF59000.00000002.00000001.01000000.00000029.sdmp
Source:	Binary string: C:/Program Files (x86)/LocalPlayback/imageformats/qwbmpd.pdb source: LocalPlayback.exe, 0000001E.00000003.2190142052.0000000000B48000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\AudioRender0\WindowsAudio2\bin\win32\Private_PDB32\AudioRender.pdb source: LocalPlayback.exe, 0000001E.00000002.2571115843.000000006B3C9000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: qjpegd.pdbScritOped source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qtiffd.pdbScritOped source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kegd.pdbX source: LocalPlayback.exe, 0000001E.00000002.2555626033.0000000000A91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\platforms\qminimald.pdb source: LocalPlayback.exe, 00000002.00000003.2198507434.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2171020004.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2436234286.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2196692354.0000000005C50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qoffscreend.pdbtOped source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\imageformats\qjpegd.pdb source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2424912060.0000000005C0D000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 0000001E.00000003.2190142052.0000000000B48000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\imageformats\qwebpd.pdbe Q source: LocalPlayback.exe, 0000001E.00000003.2190142052.0000000000B48000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\imageformats\qwbmpd.pdb3 source: LocalPlayback.exe, 0000001E.00000003.2190142052.0000000000B48000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qicod.pdbEScritOped source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb@ source: vcredist_x86.exe, 0000001B.00000002.1943499977.0000000000F4A000.00000002.00000001.01000000.00000015.sdmp, vcredist_x86.exe, 0000001B.00000000.1932728808.0000000000F4A000.00000002.00000001.01000000.00000015.sdmp, vcredist_x86.exe, 0000001C.00000002.2559508643.0000000000F4A000.00000002.00000001.01000000.00000015.sdmp, vcredist_x86.exe, 0000001C.00000000.1936608719.0000000000F4A000.00000002.00000001.01000000.00000015.sdmp

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_00424C8F __EH_prolog3_GS,FindFirstFileW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrlenW,lstrcpyW,lstrcatW,SysStringLen,lstrcatW,GetFileAttributesW,lstrcatW,lstrcmpiW,lstrcpynW,lstrcmpiW,lstrcmpiW,SysStringLen,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,LZOpenFileW,LZOpenFileW,LZCopy,LZClose,LZClose,DeleteFileW,lstrcpyW,	2_2_00424C8F
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_0045145E __EH_prolog3_GS,FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,RemoveDirectoryW,__CxxThrowException@8,DeleteFileW,	2_2_0045145E
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_0044F772 GetProcAddress,SearchPathW,GetModuleFileNameW,FindFirstFileW,VirtualQuery,VirtualProtect,VirtualProtect,	2_2_0044F772
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_0042BF7F FindFirstFileW,GetFileAttributesW,SetFileAttributesW,DeleteFileW,	2_2_0042BF7F
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Code function: 19_2_00428BE8 _memset,FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	19_2_00428BE8
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Code function: 19_2_004466A3 _memset,_memset,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,GetLastError,GetLastError,GetLastError,FindClose,	19_2_004466A3
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Code function: 19_2_00445710 _memset,FindFirstFileW,FindClose,	19_2_00445710
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Code function: 22_2_003C8BE8 _memset,FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	22_2_003C8BE8
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Code function: 22_2_003E66A3 _memset,_memset,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,GetLastError,GetLastError,GetLastError,FindClose,	22_2_003E66A3
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Code function: 22_2_003E5710 _memset,FindFirstFileW,FindClose,	22_2_003E5710
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Code function: 27_2_00F466A3 _memset,_memset,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,GetLastError,GetLastError,GetLastError,FindClose,	27_2_00F466A3
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Code function: 27_2_00F28BE8 _memset,FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	27_2_00F28BE8
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Code function: 27_2_00F45710 _memset,FindFirstFileW,FindClose,	27_2_00F45710
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Code function: 28_2_700DA685 _memset,FindFirstFileW,FindClose,	28_2_700DA685

Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe

Code function: 30_2_00C51A50 GetLogicalDrives,??0QByteArray@@QAE@XZ,??0QMessageBox@@QAE@PAVQWidget@@@Z,GetLogicalDriveStringsW,memset,GetDriveTypeW,?allocate@QArrayData@@SAPAU1@IIIV?$QFlags@W4AllocationOption@QArrayData@@@@@Z,?data@QArrayData@@QAEPAXXZ,??1QMessageBox@@UAE@XZ,??1QString@@QAE@XZ,?data@QArrayData@@QAEPAXXZ,?data@QArrayData@@QAEPAXXZ,?deallocate@QArrayData@@SAXPAU1@II@Z,

30_2_00C51A50

Source: C:\Users\user\Desktop\LocalPlayback.exe	File opened: C:\Users\user~1\	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	File opened: C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	File opened: C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	File opened: C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\FontData.ini	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	File opened: C:\Users\user~1\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	File opened: C:\Users\user~1\AppData\	Jump to behavior

Networking

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /4200/tool/windows/LocalPlayback/package.json HTTP/1.1Host: hikdownload.hik-connect.com

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49983 -> 49.51.129.211:80

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe

Code function: 19_2_00436994 InternetReadFile,WriteFile,WriteFile,GetLastError,GetLastError,

19_2_00436994

Source: global traffic

HTTP traffic detected: GET /4200/tool/windows/LocalPlayback/package.json HTTP/1.1Host: hikdownload.hik-connect.com

Source: LocalPlayback.exe, 0000001E.00000002.2571774893.000000006B4F0000.00000002.00000001.01000000.00000021.sdmp

String found in binary or memory: Ok04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1email.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06www.google.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3login.yahoo.com39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:293e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47login.skype.com92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43addons.mozilla.orgb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0login.live.comd8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0global trustee05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56*.google.com0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4cDigiNotar Root CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Services CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services 1024 CA0a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Root CA G2a4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21CertiID Enterprise Certificate Authority5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41DigiNotar Qualified CA46:9c:2c:b007:27:10:0dDigiNotar Cyber CA07:27:0f:f907:27:10:0301:31:69:b0DigiNotar PKIoverheid CA Overheid en Bedrijven01:31:34:bfDigiNotar PKIoverheid CA Organisatie - G2d6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar Extended Validation CA1e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Public CA 202546:9c:2c:af46:9c:3c:c907:27:14:a9Digisign Server ID (Enrich)4c:0e:63:6aDigisign Server ID - (Enrich)72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0UTN-USERFirst-Hardware41MD5 Collisions Inc. (http://www.phreedom.org/md5)08:27*.EGO.GOV.TR08:64e-islem.kktcmerkezbankasi.org03:1d:a7AC DG Tr equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: hikdownload.hik-connect.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 24 Oct 2024 11:01:17 GMTContent-Type: text/html; charset=UTF-8Content-Length: 242Connection: keep-aliveServer: TengineData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 68 72 2f 3e 50 6f 77 65 72 65 64 20 62 79 20 54 65 6e 67 69 6e 65 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body bgcolor="white"><h1>404 Not Found</h1><p>The requested URL was not found on this server.<hr/>Powered by Tengine</body></html>

Source: LocalPlayback.exe, 00000002.00000000.1288293705.00000000004AD000.00000002.00000001.01000000.00000004.sdmp, LocalPlayback.exe, 00000002.00000002.2430910825.00000000004AD000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://=0x%04x.iniMS
Source: LocalPlayback.exe, 0000001E.00000002.2571774893.000000006B4F0000.00000002.00000001.01000000.00000021.sdmp	String found in binary or memory: http://bugreports.qt.io/
Source: LocalPlayback.exe, 0000001E.00000002.2571774893.000000006B4F0000.00000002.00000001.01000000.00000021.sdmp	String found in binary or memory: http://bugreports.qt.io/finishedServerMicrosoft-IIS/4.Microsoft-IIS/5.Netscape-Enterprise/3.WebLogic
Source: LocalPlayback.exe, 00000002.00000003.1328776964.000000000087D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: LocalPlayback.exe, 00000002.00000003.2197605938.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://deviis4.installshield.com/NetNirvana/
Source: LocalPlayback.exe, 00000002.00000003.2174730969.0000000000844000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2196340763.000000000084F000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2188207802.0000000000844000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://deviis4.installshield.com/NetNirvana/m
Source: LocalPlayback.exe, 0000001E.00000002.2563943582.00000000035A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hikdownload.hik-connect.com.pngloseView.pngr.Q
Source: LocalPlayback.exe, 0000001E.00000002.2565211131.0000000003A2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hikdownload.hik-connect.com/4200/tool/windows/LocalPlayback/v/standard/en/LocalPlayback
Source: LocalPlayback.exe, 0000001E.00000002.2565211131.0000000003A2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hikdownload.hik-connect.com/4200/tool/windows/LocalPlayback/v/standard/en/LocalPlayback.exe
Source: LocalPlayback.exe, 0000001E.00000002.2565211131.0000000003A2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hikdownload.hik-connect.com/4200/tool/windows/LocalPlayback/v/standard/en/LocalPlayback.exeF
Source: LocalPlayback.exe, 0000001E.00000002.2564948444.0000000003917000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.co
Source: LocalPlayback.exe, 00000002.00000003.1328776964.000000000087D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: LocalPlayback.exe, 0000001E.00000002.2571320041.000000006B3F9000.00000002.00000001.01000000.00000022.sdmp	String found in binary or memory: http://qt-project.org/xml/features/report-start-end-entity
Source: LocalPlayback.exe, 0000001E.00000002.2571320041.000000006B3F9000.00000002.00000001.01000000.00000022.sdmp	String found in binary or memory: http://qt-project.org/xml/features/report-whitespace-only-CharData
Source: LocalPlayback.exe, 0000001E.00000002.2571320041.000000006B3F9000.00000002.00000001.01000000.00000022.sdmp	String found in binary or memory: http://trolltech.com/xml/features/report-start-end-entity
Source: LocalPlayback.exe, 0000001E.00000002.2571320041.000000006B3F9000.00000002.00000001.01000000.00000022.sdmp	String found in binary or memory: http://trolltech.com/xml/features/report-whitespace-only-CharData
Source: LocalPlayback.exe, 00000002.00000003.1328776964.000000000087D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: LocalPlayback.exe, 00000002.00000003.1328776964.000000000087D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: LocalPlayback.exe, 00000002.00000003.1328776964.000000000087D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: vcredist_x86.exe, 00000014.00000003.1868826765.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp, vcredist_x86.exe, 00000014.00000003.1869418883.00000000027D0000.00000004.00000020.00020000.00000000.sdmp, vcredist_x86.exe, 00000014.00000003.1793238511.000000000062F000.00000004.00000020.00020000.00000000.sdmp, vcredist_x64_2013.exe, 00000017.00000003.1934969780.00000000018B0000.00000004.00000020.00020000.00000000.sdmp, vcredist_x64_2013.exe, 00000017.00000003.1933566497.000000000391B000.00000004.00000800.00020000.00000000.sdmp, vcredist_x86.exe, 0000001B.00000003.1935920151.0000000000652000.00000004.00000020.00020000.00000000.sdmp, vcredist_x86.exe, 0000001C.00000002.2560839508.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, vcredist_x86.exe, 0000001C.00000002.2556580978.0000000000920000.00000004.00000020.00020000.00000000.sdmp, vcredist_x86.exe, 0000001C.00000003.1938300398.00000000009AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: vcredist_x64_2013.exe, 00000017.00000003.1933566497.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010cessR
Source: vcredist_x64_2013.exe, 00000017.00000003.1933566497.000000000391B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010o
Source: LocalPlayback.exe, 00000002.00000003.1336775342.0000000002BA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.company.com
Source: LocalPlayback.exe, 00000002.00000003.1337188638.0000000002B84000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2433505889.0000000002B84000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2424468858.0000000002B83000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1337342198.0000000002B84000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2195158245.0000000002B82000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1337050034.0000000002B84000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2197888428.0000000002B83000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1336897127.0000000002B84000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2428892620.0000000002B83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.company.comt
Source: LocalPlayback.exe, 00000002.00000003.1337342198.0000000002B82000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2424684901.0000000005CB0000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2190273382.0000000005CAF000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2186596203.0000000005CA2000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2436551431.0000000005CB1000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1329950331.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1965739685.0000000006600000.00000004.00000800.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1965894729.0000000006600000.00000004.00000800.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1964381135.0000000006600000.00000004.00000800.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2170880571.0000000005CA2000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2198375398.0000000005CAF000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2197831927.0000000005CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.hikvision.com
Source: LocalPlayback.exe, 00000002.00000003.2196340763.000000000084F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.hikvision.com4
Source: LocalPlayback.exe, 00000002.00000003.2424684901.0000000005CB0000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2436551431.0000000005CB1000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2198375398.0000000005CAF000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2197831927.0000000005CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.hikvision.comCT
Source: LocalPlayback.exe, 00000002.00000003.2424684901.0000000005CB0000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2436551431.0000000005CB1000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2198375398.0000000005CAF000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2197831927.0000000005CA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.hikvision.comER
Source: LocalPlayback.exe, 00000002.00000003.2174730969.0000000000844000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2188207802.0000000000844000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.hikvision.comX
Source: LocalPlayback.exe, 00000002.00000003.1313616804.00000000007EF000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1304570653.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1303819742.00000000007EF000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1315533478.00000000007EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.hikvision.comal
Source: LocalPlayback.exe, 00000002.00000003.2195158245.0000000002B82000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2197888428.0000000002B83000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2200256507.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.hikvision.coml=%ld
Source: LocalPlayback.exe, LocalPlayback.exe, 00000002.00000000.1288293705.00000000004AD000.00000002.00000001.01000000.00000004.sdmp, LocalPlayback.exe, 00000002.00000002.2430910825.00000000004AD000.00000002.00000001.01000000.00000004.sdmp, LocalPlayback.exe, 00000002.00000003.1329950331.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1965739685.0000000006600000.00000004.00000800.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1965894729.0000000006600000.00000004.00000800.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1313616804.00000000007EF000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1964381135.0000000006600000.00000004.00000800.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1302943701.0000000002920000.00000040.00001000.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1304570653.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1303819742.00000000007EF000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1315533478.00000000007EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d
Source: LocalPlayback.exe, 0000001E.00000002.2571774893.000000006B4F0000.00000002.00000001.01000000.00000021.sdmp	String found in binary or memory: http://www.phreedom.org/md5)
Source: LocalPlayback.exe, 0000001E.00000002.2571774893.000000006B4F0000.00000002.00000001.01000000.00000021.sdmp	String found in binary or memory: http://www.phreedom.org/md5)08:27
Source: LocalPlayback.exe, 0000001E.00000002.2571320041.000000006B3F9000.00000002.00000001.01000000.00000022.sdmp	String found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: LocalPlayback.exe, 0000001E.00000002.2571320041.000000006B3F9000.00000002.00000001.01000000.00000022.sdmp	String found in binary or memory: http://xml.org/sax/features/namespaces
Source: LocalPlayback.exe, 0000001E.00000002.2571320041.000000006B3F9000.00000002.00000001.01000000.00000022.sdmp	String found in binary or memory: http://xml.org/sax/features/namespaceshttp://xml.org/sax/features/namespace-prefixeshttp://trolltech

Key, Mouse, Clipboard, Microphone and Screen Capturing

Creates a DirectInput object (often for capturing keystrokes)

Source: LocalPlayback.exe, 0000001E.00000002.2561255132.0000000001267000.00000002.00000001.01000000.00000026.sdmp

Binary or memory string: DirectDrawCreateEx

memstr_f53362d3-4

E-Banking Fraud

Registers a new ROOT certificate

Source: C:\Users\user\Desktop\LocalPlayback.exe

Code function: 2_2_00453B2B __EH_prolog3,CertOpenSystemStoreW,CertOpenSystemStoreW,CertOpenSystemStoreW,CertAddCertificateContextToStore,GetLastError,CertGetIssuerCertificateFromStore,CertAddCertificateContextToStore,GetLastError,CertGetIssuerCertificateFromStore,

2_2_00453B2B

System Summary

PE file has a writeable .text section

Source: ISSetup.dll.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: isr8AA1.tmp.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ISS80A0.tmp.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Contains functionality to communicate with device drivers

Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe

Code function: 30_2_00C51660: memset,malloc,malloc,free,free,malloc,CreateFileW,DeviceIoControl,CloseHandle,free,free,free,free,free,CloseHandle,free,free,free,free,free,

30_2_00C51660

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\LocalPlayback.exe

Code function: 2_2_00446A5B GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,

2_2_00446A5B

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c4c8c.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4E9F.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcamp120.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp120.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c4c8f.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c4c8f.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c4c90.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI53FF.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc120chs.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc120cht.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc120deu.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc120enu.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc120esn.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc120fra.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc120ita.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc120jpn.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc120kor.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc120rus.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c4c93.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c4c93.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c4c94.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6BFD.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\system32\vcamp120.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\system32\vcomp120.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c4c97.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c4c97.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c4c98.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{929FBD26-9020-399B-9A7A-751D61F0B942}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7005.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\system32\mfc120chs.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\system32\mfc120cht.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\system32\mfc120deu.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\system32\mfc120enu.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\system32\mfc120esn.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\system32\mfc120fra.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\system32\mfc120ita.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\system32\mfc120jpn.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\system32\mfc120kor.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\system32\mfc120rus.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c4c9b.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6c4c9b.msi

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\6c4c8f.msi

Detected potential crypto function

Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_0047C079	2_2_0047C079
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_0046802F	2_2_0046802F
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_0049C169	2_2_0049C169
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_00490400	2_2_00490400
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_004785C3	2_2_004785C3
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_0047C5E9	2_2_0047C5E9
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_0047CF48	2_2_0047CF48
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_0047D307	2_2_0047D307
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_00471456	2_2_00471456
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_0049D5C4	2_2_0049D5C4
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_00475701	2_2_00475701
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_0044DAE2	2_2_0044DAE2
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_0047DA83	2_2_0047DA83
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_0045E55F	2_2_0045E55F
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_0045EA53	2_2_0045EA53
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_00462D20	2_2_00462D20
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_0045EE6B	2_2_0045EE6B
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_00492EF0	2_2_00492EF0
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_004631C0	2_2_004631C0
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_0045F2A0	2_2_0045F2A0
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_0045F6D5	2_2_0045F6D5
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_0047F77C	2_2_0047F77C
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_0047BB10	2_2_0047BB10
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_0046FC8B	2_2_0046FC8B
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Code function: 6_2_00007FF75D261AD0	6_2_00007FF75D261AD0
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Code function: 6_2_00007FF75D264230	6_2_00007FF75D264230
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Code function: 6_2_00007FF75D26D308	6_2_00007FF75D26D308
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Code function: 6_2_00007FF75D2742FC	6_2_00007FF75D2742FC
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Code function: 6_2_00007FF75D26F11C	6_2_00007FF75D26F11C
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Code function: 6_2_00007FF75D264E10	6_2_00007FF75D264E10
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Code function: 6_2_00007FF75D26CC64	6_2_00007FF75D26CC64
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Code function: 6_2_00007FF75D26FCE4	6_2_00007FF75D26FCE4
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_00CA5560	30_2_00CA5560
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_00CE9A70	30_2_00CE9A70
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_00CB7550	30_2_00CB7550
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_00CEC250	30_2_00CEC250
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_00C48440	30_2_00C48440
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_00C94A30	30_2_00C94A30
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_00D00B80	30_2_00D00B80
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_00CFCBA0	30_2_00CFCBA0
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_00CF5530	30_2_00CF5530
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_00C9DA60	30_2_00C9DA60
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_00CC9B80	30_2_00CC9B80
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_00C9A1E0	30_2_00C9A1E0
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_00CF2120	30_2_00CF2120
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_00CE9A70	30_2_00CE9A70
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_00C630B0	30_2_00C630B0
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_00C47830	30_2_00C47830
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_00C630B0	30_2_00C630B0
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_011F4C40	30_2_011F4C40
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_011FA140	30_2_011FA140
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_011FA600	30_2_011FA600
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_011F6670	30_2_011F6670
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_011FA9B0	30_2_011FA9B0
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_011FA8B0	30_2_011FA8B0
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_011FAAB0	30_2_011FAAB0
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_011F2C90	30_2_011F2C90
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_011F2F40	30_2_011F2F40
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_011F3140	30_2_011F3140
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_011F7170	30_2_011F7170
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_011FF1E0	30_2_011FF1E0
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_011F7070	30_2_011F7070
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_0123E125	30_2_0123E125
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_01258108	30_2_01258108
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_0125E0B4	30_2_0125E0B4
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_0123E310	30_2_0123E310
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_01262486	30_2_01262486

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Code function: String function: 0044177A appears 60 times
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Code function: String function: 0044540B appears 73 times
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Code function: String function: 0044294E appears 460 times
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Code function: String function: 0043F6A2 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Code function: String function: 0043FA86 appears 654 times
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Code function: String function: 00F4294E appears 460 times
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Code function: String function: 00F3F6A2 appears 35 times
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Code function: String function: 00F4540B appears 73 times
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Code function: String function: 700D10E3 appears 70 times
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Code function: String function: 700DAFD3 appears 31 times
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Code function: String function: 00F3FA86 appears 654 times
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Code function: String function: 00F4177A appears 60 times
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: String function: 00462F51 appears 35 times
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: String function: 0045B6C9 appears 295 times
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: String function: 0045B6FF appears 57 times
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: String function: 00423321 appears 40 times
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: String function: 0045A10D appears 136 times
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: String function: 004091B8 appears 102 times
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: String function: 0045B696 appears 235 times
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: String function: 00466070 appears 55 times
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: String function: 00459DAE appears 77 times
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: String function: 00459DDC appears 56 times
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: String function: 00C35173 appears 41 times
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: String function: 00C3247D appears 32 times
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: String function: 00D0C478 appears 46 times
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: String function: 00C3647E appears 38 times
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Code function: String function: 003E540B appears 73 times
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Code function: String function: 003E177A appears 60 times
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Code function: String function: 003DFA86 appears 654 times
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Code function: String function: 003E294E appears 460 times
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Code function: String function: 003DF6A2 appears 35 times

PE file contains executable resources (Code or Archives)

Source: hpr8777.tmp.2.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: Loc8846.tmp.2.dr	Static PE information: Resource name: RT_ICON type: tar archive (old), type '9' (, mode !\005, uid )\006, gid !\010\0, size *\010, seconds \006\016, linkname \014\002, comment: 7

Sample file is different than original file name gathered from version info

Source: LocalPlayback.exe, 00000002.00000003.1328776964.000000000087D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameISRT.dll vs LocalPlayback.exe
Source: LocalPlayback.exe, 00000002.00000000.1288340748.0000000000518000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameInstallShield Setup.exe< vs LocalPlayback.exe
Source: LocalPlayback.exe	Binary or memory string: OriginalFilename vs LocalPlayback.exe
Source: LocalPlayback.exe, 0000001E.00000002.2575336087.000000006C8FF000.00000002.00000001.01000000.00000019.sdmp	Binary or memory string: OriginalFilenameToolShareModule.dll@ vs LocalPlayback.exe
Source: LocalPlayback.exe, 0000001E.00000002.2571617408.000000006B450000.00000002.00000001.01000000.00000020.sdmp	Binary or memory string: OriginalFilenameQt5PrintSupport.dll( vs LocalPlayback.exe
Source: LocalPlayback.exe, 0000001E.00000002.2576115403.000000007004B000.00000002.00000001.01000000.0000002A.sdmp	Binary or memory string: OriginalFilenameqdds.dll( vs LocalPlayback.exe
Source: LocalPlayback.exe, 0000001E.00000002.2573230518.000000006BCD5000.00000002.00000001.01000000.0000001B.sdmp	Binary or memory string: OriginalFilenameHDFileSDK.dll4 vs LocalPlayback.exe
Source: LocalPlayback.exe, 0000001E.00000002.2560995220.000000000120F000.00000002.00000001.01000000.00000025.sdmp	Binary or memory string: OriginalFilenameAnalyzeData.dll8 vs LocalPlayback.exe
Source: LocalPlayback.exe, 0000001E.00000002.2561519409.00000000012E1000.00000002.00000001.01000000.00000026.sdmp	Binary or memory string: OriginalFilenameSuperRender.dllb! vs LocalPlayback.exe
Source: LocalPlayback.exe, 0000001E.00000002.2570330216.000000006AEC3000.00000002.00000001.01000000.00000027.sdmp	Binary or memory string: OriginalFilenameqwindows.dll( vs LocalPlayback.exe
Source: LocalPlayback.exe, 0000001E.00000002.2572836301.000000006BC57000.00000002.00000001.01000000.0000001C.sdmp	Binary or memory string: OriginalFilenamehpr.dll( vs LocalPlayback.exe
Source: LocalPlayback.exe, 0000001E.00000002.2574879072.000000006C7FA000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: OriginalFilenameQt5Gui.dll( vs LocalPlayback.exe
Source: LocalPlayback.exe, 0000001E.00000002.2568305204.000000006AC66000.00000002.00000001.01000000.0000002F.sdmp	Binary or memory string: OriginalFilenameqtga.dll( vs LocalPlayback.exe
Source: LocalPlayback.exe, 0000001E.00000002.2568863892.000000006ACB8000.00000002.00000001.01000000.0000002D.sdmp	Binary or memory string: OriginalFilenameqico.dll( vs LocalPlayback.exe
Source: LocalPlayback.exe, 0000001E.00000002.2568057819.000000006AC4D000.00000002.00000001.01000000.00000030.sdmp	Binary or memory string: OriginalFilenameqtiff.dll( vs LocalPlayback.exe
Source: LocalPlayback.exe, 0000001E.00000002.2571873027.000000006B528000.00000002.00000001.01000000.00000021.sdmp	Binary or memory string: OriginalFilenameQt5Network.dll( vs LocalPlayback.exe
Source: LocalPlayback.exe, 0000001E.00000002.2573691280.000000006BED1000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: OriginalFilenameToolGuiToolkit.dll> vs LocalPlayback.exe
Source: LocalPlayback.exe, 0000001E.00000002.2574203004.000000006C30C000.00000002.00000001.01000000.00000018.sdmp	Binary or memory string: OriginalFilenameQt5Widgets.dll( vs LocalPlayback.exe
Source: LocalPlayback.exe, 0000001E.00000002.2571195230.000000006B3D6000.00000002.00000001.01000000.00000023.sdmp	Binary or memory string: OriginalFilenameAudioRender.dllb! vs LocalPlayback.exe
Source: LocalPlayback.exe, 0000001E.00000002.2572561458.000000006BB12000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: OriginalFilenameQt5Core.dll( vs LocalPlayback.exe
Source: LocalPlayback.exe, 0000001E.00000002.2575743999.000000006FF48000.00000002.00000001.01000000.0000002B.sdmp	Binary or memory string: OriginalFilenameqgif.dll( vs LocalPlayback.exe
Source: LocalPlayback.exe, 0000001E.00000002.2567687436.000000006ABF6000.00000002.00000001.01000000.00000031.sdmp	Binary or memory string: OriginalFilenameqwbmp.dll( vs LocalPlayback.exe
Source: LocalPlayback.exe, 0000001E.00000002.2575563003.000000006C919000.00000002.00000001.01000000.0000002C.sdmp	Binary or memory string: OriginalFilenameqicns.dll( vs LocalPlayback.exe
Source: LocalPlayback.exe, 0000001E.00000002.2568537510.000000006ACAC000.00000002.00000001.01000000.0000002E.sdmp	Binary or memory string: OriginalFilenameqjpeg.dll( vs LocalPlayback.exe
Source: LocalPlayback.exe, 0000001E.00000002.2567183037.0000000010367000.00000002.00000001.01000000.0000001D.sdmp	Binary or memory string: OriginalFilenamePlayCtrl.dll2 vs LocalPlayback.exe

Uses 32bit PE files

Source: LocalPlayback.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ISSetup.dll.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: lib96F4.tmp.2.dr	Static PE information: Section: .reloc IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: isr8AA1.tmp.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ISS80A0.tmp.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: lib96F4.tmp.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: isr8AA1.tmp.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: LocalPlayback.exe, 0000001E.00000002.2572144739.000000006B8F5000.00000002.00000001.01000000.0000001E.sdmp

Binary or memory string: nna.nosciencehu.comtadaoka.osaka.jphayakawa.yamanashi.jpdnsalias.orgedu.saedu.sbedu.rsedu.sclib.id.usogori.fukuoka.jpnotogawa.shiga.jpedu.sdrepbody.aeroid.auedu.ruk12.nj.usloyalist.museumedu.rwedu.sgxyzmoka.tochigi.jpdynathome.netkimino.wakayama.jpedu.slnissanveterinaire.kmkokubunji.tokyo.jpedu.snos.hordaland.notm.kmartsandcrafts.museumis-a-musician.com*.kitakyushu.jpiitate.fukushima.jpedu.stav.iturayasu.chiba.jpedu.svflorida.museumninjaedu.synemuro.hokkaido.jpedu.tjs

Source: classification engine

Classification label: sus24.bank.evad.winEXE@29/455@1/1

Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe

Code function: 19_2_0043F326 FormatMessageW,GetLastError,LocalFree,

19_2_0043F326

Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_00454269 __EH_prolog3_GS,CertOpenSystemStoreW,GetLastError,CertOpenSystemStoreW,		2_2_00454269
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_00453B2B __EH_prolog3,CertOpenSystemStoreW,CertOpenSystemStoreW,CertOpenSystemStoreW,CertAddCertificateContextToStore,GetLastError,CertGetIssuerCertificateFromStore,CertAddCertificateContextToStore,GetLastError,CertGetIssuerCertificateFromStore,		2_2_00453B2B

Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_00446A5B GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,	2_2_00446A5B
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Code function: 19_2_004113BA GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	19_2_004113BA
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Code function: 22_2_003B13BA GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	22_2_003B13BA
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Code function: 27_2_00F113BA GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,	27_2_00F113BA

Source: C:\Users\user\Desktop\LocalPlayback.exe

Code function: 2_2_0041F059 __EH_prolog3_GS,_memset,GetDiskFreeSpaceExW,LoadLibraryW,GetProcAddress,lstrcpyW,lstrcatW,GetDiskFreeSpaceExW,GetDiskFreeSpaceExW,GetLastError,GetDiskFreeSpaceW,GetDiskFreeSpaceW,

2_2_0041F059

Source: C:\Users\user\Desktop\LocalPlayback.exe

Code function: 2_2_00444E65 __EH_prolog3_GS,CreateToolhelp32Snapshot,GetLastError,Process32FirstW,Process32NextW,OpenProcess,

2_2_00444E65

Source: C:\Users\user\Desktop\LocalPlayback.exe

Code function: 2_2_0041A2E5 CoCreateInstance,

2_2_0041A2E5

Source: C:\Users\user\Desktop\LocalPlayback.exe

Code function: 2_2_00499420 FindResourceW,FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,_memmove,CreateStreamOnHGlobal,GlobalUnlock,GlobalFree,

2_2_00499420

Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe

Code function: 19_2_0042E774 ChangeServiceConfigW,GetLastError,

19_2_0042E774

Source: C:\Users\user\Desktop\LocalPlayback.exe

File created: C:\Program Files (x86)\InstallShield Installation Information\

Jump to behavior

Source: C:\Users\user\Desktop\LocalPlayback.exe

File created: C:\Users\Public\Desktop\LocalPlayback.lnk

Jump to behavior

Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8104:120:WilError_03
Source: C:\Users\user\Desktop\LocalPlayback.exe	Mutant created: \Sessions\1\BaseNamedObjects\6674BCC5-BC57-446B-B83B-FA53501E0FDC
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Mutant created: \Sessions\1\BaseNamedObjects\QtLockedFile mutex c:/users/user/appdata/local/temp/qtsingleapplication-b312-1-lockfile

Source: C:\Users\user\Desktop\LocalPlayback.exe

File created: C:\Users\user~1\AppData\Local\Temp\{BF172FD2-5CBE-4AB8-9EBD-2755BF244CA6}\

Jump to behavior

Source: C:\Users\user\Desktop\LocalPlayback.exe	Command line argument: x$L	2_2_00425602
Source: C:\Users\user\Desktop\LocalPlayback.exe	Command line argument: x$L	2_2_00425602
Source: C:\Users\user\Desktop\LocalPlayback.exe	Command line argument: x$L	2_2_00425602
Source: C:\Users\user\Desktop\LocalPlayback.exe	Command line argument: EXE=%s	2_2_00425602
Source: C:\Users\user\Desktop\LocalPlayback.exe	Command line argument: EXEProcessBegin	2_2_00425602
Source: C:\Users\user\Desktop\LocalPlayback.exe	Command line argument: ISSetupInit	2_2_00425602
Source: C:\Users\user\Desktop\LocalPlayback.exe	Command line argument: x$L	2_2_00425602
Source: C:\Users\user\Desktop\LocalPlayback.exe	Command line argument: x$L	2_2_00425602

Source: LocalPlayback.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\LocalPlayback.exe

File read: C:\Users\user\AppData\Local\Temp\{BF172FD2-5CBE-4AB8-9EBD-2755BF244CA6}\Disk1\setup.ini

Jump to behavior

Source: C:\Users\user\Desktop\LocalPlayback.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: vcredist_x86.exe, 00000013.00000003.1819940196.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, vcredist_x86.exe, 00000013.00000003.1815835578.0000000000F56000.00000004.00000020.00020000.00000000.sdmp, vcredist_x64_2013.exe, 00000016.00000003.1898813039.0000000000953000.00000004.00000020.00020000.00000000.sdmp, vcredist_x64_2013.exe, 00000016.00000003.1901279866.000000000098E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: SELECT `WixDependency`.`WixDependency`, `WixDependencyProvider`.`Component_`, `WixDependency`.`ProviderKey`, `WixDependency`.`MinVersion`, `WixDependency`.`MaxVersion`, `WixDependency`.`Attributes` FROM `WixDependencyProvider`, `WixDependency`, `WixDependencyRef` WHERE `WixDependency`.`WixDependency` = `WixDependencyRef`.`WixDependency_` AND `WixDependencyProvider`.`WixDependencyProvider` = `WixDependencyRef`.`WixDependencyProvider_`SELECT `WixDependencyProvider`.`WixDependencyProvider`, `WixDependencyProvider`.`Component_`, `WixDependencyProvider`.`ProviderKey`, `WixDependencyProvider`.`Attributes` FROM `WixDependencyProvider`Failed to ignored dependency "%ls" to the string dictionary.;Failed to create the string dictionary.Failed to get the string value of the IGNOREDEPENDENCIES property.IGNOREDEPENDENCIESUnknownFailed to set the dependency name "%ls" into the message record.Failed to set the dependency key "%ls" into the message record.The dependency "%ls" is missing or is not the required version.Found dependent "%ls", name: "%ls".Failed to set the number of dependencies into the message record.Failed to set the message identifier into the message record.Not enough memory to create the message record.wixdepca.cppUnexpected message response %d from user or bootstrapper application.Failed to create the dependency record for message %d.Failed to enumerate all of the rows in the dependency query view.Failed to get WixDependency.Attributes.Failed to get WixDependency.MaxVersion.Failed to get WixDependency.MinVersion.Failed to get WixDependency.ProviderKey.Failed to get WixDependencyProvider.Component_.Failed to get WixDependency.WixDependency.Failed dependency check for %ls.Skipping dependency check for %ls because the component %ls is not being (re)installed.Failed to open the query view for dependencies.Failed to initialize the unique dependency string list.Failed to check if the WixDependency table exists.Skipping the dependency check since no dependencies are authored.WixDependencyFailed to enumerate all of the rows in the dependency provider query view.Failed to get WixDependencyProvider.Attributes.Failed to get WixDependencyProvider.ProviderKey.Failed to get WixDependencyProvider.Component.Failed to get WixDependencyProvider.WixDependencyProvider.Failed dependents check for %ls.Skipping dependents check for %ls because the component %ls is not being uninstalled.Failed to open the query view for dependency providers.Failed to check if the WixDependencyProvider table exists.Skipping the dependents check since no dependency providers are authored.WixDependencyProviderSkipping the dependencies check since IGNOREDEPENDENCIES contains "ALL".Failed to check if "ALL" was set in IGNOREDEPENDENCIES.ALLFailed to get the ignored dependents.Failed to ensure required dependencies for (re)installing components.ALLUSERSFailed to initialize the registry functions.Failed to initialize.WixDependencyRequireFailed to ensure absent dependents for uninstalling com

Source: vcredist_x86.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: vcredist_x64_2013.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: vcredist_x86.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: LocalPlayback.exe	String found in binary or memory: --yexl-- CPlayBackInteraction-StartPlayback nofile

Source: C:\Users\user\Desktop\LocalPlayback.exe

File read: C:\Users\user\Desktop\LocalPlayback.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LocalPlayback.exe "C:\Users\user\Desktop\LocalPlayback.exe"
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process created: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0F60EF52-B8AE-4C65-B672-4ECBA9C7EF64}
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process created: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DEBE9773-6CCB-402A-A045-44F23FC2C3BA}
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process created: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E46B7176-3FFC-40C6-B559-180C9F23E714}
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process created: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E5BF0CED-81A6-4ECC-9E75-24C1C03367D2}
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process created: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{83415305-25EC-4DB0-8231-2F0B7AC0579F}
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process created: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3309AE38-3356-4998-B51D-DDEA1CA316CD}
Source: unknown	Process created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
Source: C:\Windows\System32\SrTasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process created: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe /q
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Process created: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe "C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe" /q -burn.unelevated BurnPipe.{DBEA4BDC-32D1-4571-8C40-9D2304124BE9} {91C7A57E-FB61-4624-AACC-1188F529C9A7} 8120
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process created: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe /q
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Process created: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe "C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe" /q -burn.unelevated BurnPipe.{0942DD9A-AF4A-432E-BD2D-A92FFBEDB9E9} {F3730AF5-9EE5-4B54-A568-50E8BA9679B4} 1876
Source: unknown	Process created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe "C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe" /burn.runonce
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Process created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe "C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe"
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process created: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe "C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe"
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process created: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0F60EF52-B8AE-4C65-B672-4ECBA9C7EF64}	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process created: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DEBE9773-6CCB-402A-A045-44F23FC2C3BA}	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process created: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E46B7176-3FFC-40C6-B559-180C9F23E714}	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process created: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E5BF0CED-81A6-4ECC-9E75-24C1C03367D2}	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process created: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{83415305-25EC-4DB0-8231-2F0B7AC0579F}	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process created: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3309AE38-3356-4998-B51D-DDEA1CA316CD}	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process created: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe /q	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process created: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe /q	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process created: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe "C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Process created: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe "C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe" /q -burn.unelevated BurnPipe.{DBEA4BDC-32D1-4571-8C40-9D2304124BE9} {91C7A57E-FB61-4624-AACC-1188F529C9A7} 8120	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Process created: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe "C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe" /q -burn.unelevated BurnPipe.{0942DD9A-AF4A-432E-BD2D-A92FFBEDB9E9} {F3730AF5-9EE5-4B54-A568-50E8BA9679B4} 1876
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Process created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe "C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe"

Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: lz32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: sxproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srcore.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vss_ps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: usoapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: sxproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: msxml3.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: feclient.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: msxml3.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: srclient.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: spp.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: vssapi.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: vsstrace.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: usoapi.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: sxproxy.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: msisip.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: cryptnet.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: srpapi.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: tsappcmp.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: msxml3.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: feclient.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Section loaded: textshaping.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: msi.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: wininet.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: version.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: msxml3.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: feclient.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: msi.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: wininet.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: version.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: msxml3.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: wldp.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: profapi.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: feclient.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: textinputframework.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: coreuicomponents.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: coremessaging.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: windowscodecs.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: explorerframe.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: riched20.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: usp10.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: msls31.dll
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Section loaded: textshaping.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: qt5core.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: qt5gui.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: qt5widgets.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: toolguitoolkit.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: toolsharemodule.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: hdfilesdk.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: hpr.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: playctrl.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: analyzedata.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: upgrade.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: msvcp120.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: msvcr120.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: qt5core.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: msvcp120.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: msvcr120.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: qt5core.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: msvcp120.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: msvcr120.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: hpr.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: qt5core.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: qt5network.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: msvcp120.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: msvcr120.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: qt5core.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: qt5printsupport.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: qt5xml.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: hpr.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: msvcp120.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: msvcr120.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: superrender.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: audiorender.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: msvcp120.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: msvcr120.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: hcnetutils.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: msvcp140.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: dsound.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: ddraw.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: dxgi.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: dciman32.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: wintab32.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: qt5svg.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: devobj.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: dataexchange.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: d3d11.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: dcomp.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Section loaded: fwpuclnt.dll

Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\LocalPlayback.exe

File written: C:\Users\user\AppData\Local\Temp\{BF172FD2-5CBE-4AB8-9EBD-2755BF244CA6}\Disk1\0x0409.ini

Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Users\user\Desktop\LocalPlayback.exe	Automated click: Next >
Source: C:\Users\user\Desktop\LocalPlayback.exe	Automated click: Next >
Source: C:\Users\user\Desktop\LocalPlayback.exe	Automated click: Next >
Source: C:\Users\user\Desktop\LocalPlayback.exe	Automated click: Install
Source: C:\Users\user\Desktop\LocalPlayback.exe	Automated click: Next >

Uses Rich Edit Controls

Source: C:\Users\user\Desktop\LocalPlayback.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Found window with many clickable UI elements (buttons, textforms, scrollbars etc)

Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Window detected: Number of UI elements: 19
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Window detected: Number of UI elements: 19
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Window detected: Number of UI elements: 19

Creates a software uninstall entry

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}

PE / OLE file has a valid certificate

Source: LocalPlayback.exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: LocalPlayback.exe

Static file information: File size 80556152 > 1048576

Uses new MSVCR Dlls

Source: C:\Users\user\Desktop\LocalPlayback.exe

File opened: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\msvcr90.dll

Jump to behavior

PE file contains a debug data directory

Source: LocalPlayback.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: Nsd.pdb' source: LocalPlayback.exe, 0000001E.00000002.2555626033.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\jenkins\workspace\APP_Package_Tool_BaseLine_Tools3\code\target\vs2013\ToolShareModule\ToolShareModule.pdb source: LocalPlayback.exe, 0000001E.00000002.2575260611.000000006C8F8000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: .pdb? source: LocalPlayback.exe, 0000001E.00000002.2555626033.0000000000A91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Project\2018NewVersionTools\UpgradeTool\code\target\UpgradeTool\Upgrade.pdb source: LocalPlayback.exe, 0000001E.00000002.2574995176.000000006C8CA000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: qddsd.pdbEScritOpedm source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\ISP\setup.pdb source: LocalPlayback.exe, 00000002.00000000.1288293705.00000000004AD000.00000002.00000001.01000000.00000004.sdmp, LocalPlayback.exe, 00000002.00000002.2430910825.00000000004AD000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: qtgad.pdbEScritOped source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\imageformats\qwbmpd.pdb source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2424912060.0000000005C0D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: `C:\Program Files (x86)\LocalPlayback\Standard\\sqlpsql.pdb source: LocalPlayback.exe, 00000002.00000003.2198507434.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2171020004.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2436234286.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2196692354.0000000005C50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\platforms\qwindowsd.pdbbddll} source: LocalPlayback.exe, 00000002.00000003.2171020004.0000000005C50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\jenkins\workspace\APP_Package_Tool_BaseLine_Tools3\code\target\VS2013\ToolGuiToolkit\ToolGuiToolkit.pdb source: LocalPlayback.exe, 0000001E.00000002.2573472697.000000006BE0A000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: C:/Program Files (x86)/LocalPlayback/imageformats/qwbmp.dll.pdb source: LocalPlayback.exe, 0000001E.00000002.2555626033.0000000000A91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: `C:\Program Files (x86)\LocalPlayback\plugins\\indowsd.pdbws.ll source: LocalPlayback.exe, 00000002.00000003.2198507434.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2171020004.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2436234286.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2196692354.0000000005C50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\imageformats\qgifd.pdbl source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2424912060.0000000005C0D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Project\2018NewVersionTools\UpgradeTool\code\target\UpgradeTool\Upgrade.pdb(( source: LocalPlayback.exe, 0000001E.00000002.2574995176.000000006C8CA000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: \??\C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqlmysqld.pdbltmpI source: LocalPlayback.exe, 00000002.00000003.2169399913.0000000005A92000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435360519.0000000005A92000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2427166168.0000000005A92000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xC:\Program Files (x86)\LocalPlayback\imageformats\qwbmpd.pdb. source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\PROJ\hpr\hpr_svn\lib\vs2008\hpr.pdb source: LocalPlayback.exe, 0000001E.00000002.2572733998.000000006BB42000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: qwebpd.pdbScritOped source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\imageformats\qwebpd.pdb source: LocalPlayback.exe, 00000002.00000003.2198507434.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2171020004.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2436234286.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2196692354.0000000005C50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qwbmpd.pdbScritOpedJ;^ source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: `C:\Program Files (x86)\LocalPlayback\plugins\\indowsd.pdb source: LocalPlayback.exe, 00000002.00000003.2198507434.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2171020004.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2436234286.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2196692354.0000000005C50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\delivery\Dev\wix37\build\ship\x86\WixStdBA.pdbH source: vcredist_x86.exe, 0000001C.00000002.2561765338.00000000700E5000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: qminimald.pdbritOped&;2 source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\imageformats\qtiffd.pdb source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 0000001E.00000003.2190142052.0000000000B48000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb source: vcredist_x86.exe, 00000013.00000000.1787811525.000000000044A000.00000002.00000001.01000000.0000000F.sdmp, vcredist_x86.exe, 00000013.00000002.1873216538.000000000044A000.00000002.00000001.01000000.0000000F.sdmp, vcredist_x86.exe, 00000013.00000003.1807866305.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, vcredist_x86.exe, 00000014.00000002.1873113180.000000000044A000.00000002.00000001.01000000.0000000F.sdmp, vcredist_x86.exe, 00000014.00000000.1791920978.000000000044A000.00000002.00000001.01000000.0000000F.sdmp, vcredist_x64_2013.exe, 00000016.00000002.1937952943.00000000003EA000.00000002.00000001.01000000.00000013.sdmp, vcredist_x64_2013.exe, 00000016.00000000.1876182782.00000000003EA000.00000002.00000001.01000000.00000013.sdmp, vcredist_x64_2013.exe, 00000017.00000002.1938343186.00000000003EA000.00000002.00000001.01000000.00000013.sdmp, vcredist_x64_2013.exe, 00000017.00000000.1877246310.00000000003EA000.00000002.00000001.01000000.00000013.sdmp, vcredist_x86.exe, 0000001B.00000002.1943499977.0000000000F4A000.00000002.00000001.01000000.00000015.sdmp, vcredist_x86.exe, 0000001B.00000000.1932728808.0000000000F4A000.00000002.00000001.01000000.00000015.sdmp, vcredist_x86.exe, 0000001C.00000002.2559508643.0000000000F4A000.00000002.00000001.01000000.00000015.sdmp, vcredist_x86.exe, 0000001C.00000000.1936608719.0000000000F4A000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:/Program Files (x86)/LocalPlayback/imageformats/qjpegd.pdb source: LocalPlayback.exe, 0000001E.00000003.2190142052.0000000000B48000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\jenkins\workspace\APP_Package_Tool_BaseLine_Tools3\code\target\VS2013\LocalPlayback\LocalPlayback.pdb source: LocalPlayback.exe, 0000001E.00000000.2168265549.0000000000D2C000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\jenkins\workspace\APP_Compiler_SDK_HDFile_Win32\win\VS2013\Release\HDFileSDK.pdb source: LocalPlayback.exe, 0000001E.00000002.2573042521.000000006BCCB000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\imageformats\qwbmpd.pdbw source: LocalPlayback.exe, 00000002.00000003.2198507434.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2171020004.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2436234286.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2196692354.0000000005C50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\jenkins\workspace\APP_Package_Tool_BaseLine_Tools3\code\target\vs2013\CommonSkin\CommonSkin.pdb source: LocalPlayback.exe, 0000001E.00000002.2568990669.000000006ADBD000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: E:\delivery\Dev\wix37\build\ship\x86\WixStdBA.pdb source: vcredist_x86.exe, 0000001C.00000002.2561765338.00000000700E5000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: qwbmpd.pdbXP1 source: LocalPlayback.exe, 0000001E.00000002.2555626033.0000000000A91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\imageformats\qicod.pdbcod.llb source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqlmysqld.pdb.lll source: LocalPlayback.exe, 00000002.00000003.2198507434.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2171020004.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2436234286.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2196692354.0000000005C50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\work\SuperRender\0000000\bin\win32\Private_PDB32\SuperRender.pdb8 ' source: LocalPlayback.exe, 0000001E.00000002.2561255132.0000000001267000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: qwindowsd.pdbritOped source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\platforms\qoffscreend.pdb source: LocalPlayback.exe, 00000002.00000003.2198507434.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2171020004.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2436234286.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2196692354.0000000005C50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\delivery\Dev\wix37\build\ship\x86\WixDepCA.pdb source: vcredist_x86.exe, 00000013.00000003.1819940196.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, vcredist_x86.exe, 00000013.00000003.1815835578.0000000000F56000.00000004.00000020.00020000.00000000.sdmp, vcredist_x64_2013.exe, 00000016.00000003.1898813039.0000000000953000.00000004.00000020.00020000.00000000.sdmp, vcredist_x64_2013.exe, 00000016.00000003.1901279866.000000000098E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:/Program Files (x86)/LocalPlayback/imageformats/qwebp.dll.pdb source: LocalPlayback.exe, 0000001E.00000002.2555626033.0000000000A91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\jenkins\workspace\APP_Package_SDK_HCNetUtils_win32\common\HCNetUtils\win32\lib\HCNetUtils.pdb source: LocalPlayback.exe, 0000001E.00000002.2570472714.000000006B205000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: C:/Program Files (x86)/LocalPlayback/imageformats/qwebpd.pdb source: LocalPlayback.exe, 0000001E.00000003.2190142052.0000000000B48000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:/Program Files (x86)/LocalPlayback/imageformats/qwbmpd.pdbt source: LocalPlayback.exe, 0000001E.00000003.2190142052.0000000000B48000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqlited.pdbb source: LocalPlayback.exe, 00000002.00000003.2171020004.0000000005C50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\imageformats\qwbmpd.pdb.dldbA source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\work\SuperRender\0000000\bin\win32\Private_PDB32\SuperRender.pdb source: LocalPlayback.exe, 0000001E.00000002.2561255132.0000000001267000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: C:/Program Files (x86)/LocalPlayback/imageformats/qtiff.dll.pdb source: LocalPlayback.exe, 0000001E.00000002.2555626033.0000000000A91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qicnsd.pdbScritOped source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: _isres_0x0409.dlllayout.bindata1.hdrdata1.cabsetup.exeISSetup.dll0x0804.ini0x0409.inisetup.iniAnalyzeData.dllAudioRender.dllcalib.dllD3DCompiler_43.dllD3DX9_43.dllEagleEyeRender.dllgdiplus.dllHCCore.dllHCNetSDK.dllHCNetUtils.dllHDFileSDK.dllhpr.dllHWDecode.dlliconv.dlllibxml2.dllLocalPlayback.exeLocalPlayback.ism.771LocalXml.zipMP_Render.dllMP_VIE.dllOpenAL32.dllPlayCtrl.dllQt5Core.dllQt5Gui.dllQt5Network.dllQt5PrintSupport.dllQt5Widgets.dllQt5Xml.dllSettings.xmlSuperRender.dllToolGuiToolkit.dllToolShareModule.dllToolShareModule.libUpgrade.dllUpgrade.xmlYUVProcess.dllzlib1.dllAudioIntercom.dllDsSdk.dllHCAlarm.dllHCAlarm.libHCCoreDevCfg.dllHCDisplay.dllHCGeneralCfgMgr.dllHCGeneralCfgMgr.libHCIndustry.dllHCPlayBack.dllHCPreview.dllHCPreview.libHCVoiceTalk.dlllibiconv2.dllmsvcr90.dllStreamTransClient.dllSystemTransform.dllqdds.dllqddsd.dllqddsd.pdbqgif.dllqgifd.dllqgifd.pdbqicns.dllqicnsd.dllqicnsd.pdbqico.dllqicod.dllqicod.pdbqjpeg.dllqjpegd.dllqjpegd.pdbqsvg.dllqsvgd.dllqsvgd.pdbqtga.dllqtgad.dllqtgad.pdbqtiff.dllqtiffd.dllqtiffd.pdbqwbmp.dllqwbmpd.dllqwbmpd.pdbqwebp.dllqwebpd.dllqwebpd.pdbqminimal.dllqminimald.dllqminimald.pdbqoffscreen.dllqoffscreend.dllqoffscreend.pdbqwindows.dllqwindowsd.dllqwindowsd.pdbqsqlite.dllqsqlited.dllqsqlited.pdbqsqlmysql.dllqsqlmysqld.dllqsqlmysqld.pdbqsqlpsql.dllqsqlpsqld.dllqsqlpsqld.pdbLocalPlayback_en.qmLocalPlayBack_en.tsLocalPlayback_zh.qmLocalPlayBack_zh.tsqt_en.qmqt_zh_CN.qmToolGuiToolkit_en.qmToolGuiToolkit_en.tsToolGuiToolkit_zh.qmToolGuiToolkit_zh.tsToolShareModule_en.qmToolShareModule_en.tsToolShareModule_zh.qmToolShareModule_zh.ts,g0W source: LocalPlayback.exe, 00000002.00000003.2197605938.0000000000855000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: LocalPlayback.exe, 00000002.00000003.1328776964.000000000087D000.00000004.00000020.00020000.00000000.sdmp, ISBEW64.exe, 00000006.00000002.2196188784.00007FF75D277000.00000002.00000001.01000000.0000000C.sdmp, ISBEW64.exe, 00000006.00000000.1332346457.00007FF75D277000.00000002.00000001.01000000.0000000C.sdmp, ISBEW64.exe, 00000007.00000002.1335450557.00007FF75D277000.00000002.00000001.01000000.0000000C.sdmp, ISBEW64.exe, 00000007.00000000.1333414243.00007FF75D277000.00000002.00000001.01000000.0000000C.sdmp, ISBEW64.exe, 00000008.00000000.1334155324.00007FF75D277000.00000002.00000001.01000000.0000000C.sdmp, ISBEW64.exe, 00000008.00000002.1336690488.00007FF75D277000.00000002.00000001.01000000.0000000C.sdmp, ISBEW64.exe, 00000009.00000002.1338208405.00007FF75D277000.00000002.00000001.01000000.0000000C.sdmp, ISBEW64.exe, 00000009.00000000.1334838319.00007FF75D277000.00000002.00000001.01000000.0000000C.sdmp, ISBEW64.exe, 0000000A.00000000.1335823221.00007FF75D277000.00000002.00000001.01000000.0000000C.sdmp, ISBEW64.exe, 0000000A.00000002.1338230664.00007FF75D277000.00000002.00000001.01000000.0000000C.sdmp, ISBEW64.exe, 0000000B.00000002.2171021829.00007FF75D277000.00000002.00000001.01000000.0000000C.sdmp, ISBEW64.exe, 0000000B.00000000.1389523104.00007FF75D277000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\imageformats\qsvgd.pdbpg.llg source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qgifd.pdbEScritOpedn;z source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: setup.inxlicense.rtfSetup.xmlvcredist_x64_2013.exevcredist_x86.exeFontData.iniDIFxData.inicorecomp.inidotnetinstaller.exedotnetinstaller.exe.configISBEW64.exeStringTable_0x0804.ipsStringTable_0x0409.ipsisrt.dlldefault.pal_isres_0x0804.dll_isres_0x0409.dlllayout.bindata1.hdrdata1.cabsetup.exeISSetup.dll0x0804.ini0x0409.inisetup.iniAnalyzeData.dllAudioRender.dllcalib.dllD3DCompiler_43.dllD3DX9_43.dllEagleEyeRender.dllgdiplus.dllHCCore.dllHCNetSDK.dllHCNetUtils.dllHDFileSDK.dllhpr.dllHWDecode.dlliconv.dlllibxml2.dllLocalPlayback.exeLocalPlayback.ism.771LocalXml.zipMP_Render.dllMP_VIE.dllOpenAL32.dllPlayCtrl.dllQt5Core.dllQt5Gui.dllQt5Network.dllQt5PrintSupport.dllQt5Widgets.dllQt5Xml.dllSettings.xmlSuperRender.dllToolGuiToolkit.dllToolShareModule.dllToolShareModule.libUpgrade.dllUpgrade.xmlYUVProcess.dllzlib1.dllAudioIntercom.dllDsSdk.dllHCAlarm.dllHCAlarm.libHCCoreDevCfg.dllHCDisplay.dllHCGeneralCfgMgr.dllHCGeneralCfgMgr.libHCIndustry.dllHCPlayBack.dllHCPreview.dllHCPreview.libHCVoiceTalk.dlllibiconv2.dllmsvcr90.dllStreamTransClient.dllSystemTransform.dllqdds.dllqddsd.dllqddsd.pdbqgif.dllqgifd.dllqgifd.pdbqicns.dllqicnsd.dllqicnsd.pdbqico.dllqicod.dllqicod.pdbqjpeg.dllqjpegd.dllqjpegd.pdbqsvg.dllqsvgd.dllqsvgd.pdbqtga.dllqtgad.dllqtgad.pdbqtiff.dllqtiffd.dllqtiffd.pdbqwbmp.dllqwbmpd.dllqwbmpd.pdbqwebp.dllqwebpd.dllqwebpd.pdbqminimal.dllqminimald.dllqminimald.pdbqoffscreen.dllqoffscreend.dllqoffscreend.pdbqwindows.dllqwindowsd.dllqwindowsd.pdbqsqlite.dllqsqlited.dllqsqlited.pdbqsqlmysql.dllqsqlmysqld.dllqsqlmysqld.pdbqsqlpsql.dllqsqlpsqld.dllqsqlpsqld.pdbLocalPlayback_en.qmLocalPlayBack_en.tsLocalPlayback_zh.qmLocalPlayBack_zh.tsqt_en.qmqt_zh_CN.qmToolGuiToolkit_en.qmToolGuiToolkit_en.tsToolGuiToolkit_zh.qmToolGuiToolkit_zh.tsToolShareModule_en.qmToolShareModule_en.tsToolShareModule_zh.qmToolShareModule_zh.ts,g0W source: LocalPlayback.exe, 00000002.00000003.2174730969.0000000000844000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2196340763.000000000084F000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2188207802.0000000000844000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qsqlited.pdbcritOped source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\imageformats\qwebpd.pdbimage/~ source: LocalPlayback.exe, 0000001E.00000003.2190142052.0000000000B48000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqlpsqld.pdb@ source: LocalPlayback.exe, 00000002.00000003.2198507434.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2171020004.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2436234286.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2196692354.0000000005C50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qsqlpsqld.pdbritOped$%4 source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\imageformats\qicnsd.pdbrmdlll source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\imageformats\qddsd.pdbformdll source: LocalPlayback.exe, 00000002.00000003.2198116230.000000000082E000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2189404783.000000000082C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\imageformats\qtgad.pdbp.dl source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /LocalPlayback/imageformats/qwebpd.pdb' source: LocalPlayback.exe, 0000001E.00000002.2555626033.0000000000A91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\AudioRender0\WindowsAudio2\bin\win32\Private_PDB32\AudioRender.pdb =k source: LocalPlayback.exe, 0000001E.00000002.2571115843.000000006B3C9000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: qsvgd.pdbEScritOped source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :/aptui/complex/Images/System/Complex/date.pngtgad.pdb source: LocalPlayback.exe, 0000001E.00000002.2555626033.0000000000A91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qsqlmysqld.pdbtOpedX:P source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb@F source: vcredist_x86.exe, 00000013.00000000.1787811525.000000000044A000.00000002.00000001.01000000.0000000F.sdmp, vcredist_x86.exe, 00000013.00000002.1873216538.000000000044A000.00000002.00000001.01000000.0000000F.sdmp, vcredist_x86.exe, 00000014.00000002.1873113180.000000000044A000.00000002.00000001.01000000.0000000F.sdmp, vcredist_x86.exe, 00000014.00000000.1791920978.000000000044A000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: kqsvgd.pdb source: LocalPlayback.exe, 0000001E.00000002.2555626033.0000000000A91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb@E source: vcredist_x86.exe, 00000013.00000003.1807866305.0000000000F47000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb@@ source: vcredist_x64_2013.exe, 00000016.00000002.1937952943.00000000003EA000.00000002.00000001.01000000.00000013.sdmp, vcredist_x64_2013.exe, 00000016.00000000.1876182782.00000000003EA000.00000002.00000001.01000000.00000013.sdmp, vcredist_x64_2013.exe, 00000017.00000002.1938343186.00000000003EA000.00000002.00000001.01000000.00000013.sdmp, vcredist_x64_2013.exe, 00000017.00000000.1877246310.00000000003EA000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\jenkins\workspace\APP_Package_Tool_BaseLine_Tools3\code\target\vs2013\CommonSkin\CommonStyle.pdb source: LocalPlayback.exe, 0000001E.00000002.2575854670.000000006FF59000.00000002.00000001.01000000.00000029.sdmp
Source:	Binary string: C:/Program Files (x86)/LocalPlayback/imageformats/qwbmpd.pdb source: LocalPlayback.exe, 0000001E.00000003.2190142052.0000000000B48000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\AudioRender0\WindowsAudio2\bin\win32\Private_PDB32\AudioRender.pdb source: LocalPlayback.exe, 0000001E.00000002.2571115843.000000006B3C9000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: qjpegd.pdbScritOped source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qtiffd.pdbScritOped source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kegd.pdbX source: LocalPlayback.exe, 0000001E.00000002.2555626033.0000000000A91000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\platforms\qminimald.pdb source: LocalPlayback.exe, 00000002.00000003.2198507434.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2171020004.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2436234286.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2196692354.0000000005C50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qoffscreend.pdbtOped source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\imageformats\qjpegd.pdb source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2424912060.0000000005C0D000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 0000001E.00000003.2190142052.0000000000B48000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\imageformats\qwebpd.pdbe Q source: LocalPlayback.exe, 0000001E.00000003.2190142052.0000000000B48000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\LocalPlayback\imageformats\qwbmpd.pdb3 source: LocalPlayback.exe, 0000001E.00000003.2190142052.0000000000B48000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qicod.pdbEScritOped source: LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174101184.0000000005BDD000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2435760784.0000000005BE4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb@ source: vcredist_x86.exe, 0000001B.00000002.1943499977.0000000000F4A000.00000002.00000001.01000000.00000015.sdmp, vcredist_x86.exe, 0000001B.00000000.1932728808.0000000000F4A000.00000002.00000001.01000000.00000015.sdmp, vcredist_x86.exe, 0000001C.00000002.2559508643.0000000000F4A000.00000002.00000001.01000000.00000015.sdmp, vcredist_x86.exe, 0000001C.00000000.1936608719.0000000000F4A000.00000002.00000001.01000000.00000015.sdmp

Data Obfuscation

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\LocalPlayback.exe

Code function: 2_2_00495AB0 LoadLibraryW,GetProcAddress,MonitorFromPoint,GetDC,GetDeviceCaps,ReleaseDC,MulDiv,FreeLibrary,

2_2_00495AB0

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .rsrc

PE file contains sections with non-standard names

Source: qdd97B4.tmp.2.dr	Static PE information: section name: .qtmetad
Source: qdd97C5.tmp.2.dr	Static PE information: section name: .qtmetad
Source: vcr8865.tmp.2.dr	Static PE information: section name: .wixburn
Source: vcr8951.tmp.2.dr	Static PE information: section name: .wixburn
Source: qgi9815.tmp.2.dr	Static PE information: section name: .qtmetad
Source: qgi9826.tmp.2.dr	Static PE information: section name: .qtmetad
Source: qic9885.tmp.2.dr	Static PE information: section name: .qtmetad
Source: qic9896.tmp.2.dr	Static PE information: section name: .qtmetad
Source: qic98F6.tmp.2.dr	Static PE information: section name: .qtmetad
Source: qic9916.tmp.2.dr	Static PE information: section name: .qtmetad
Source: qjp9985.tmp.2.dr	Static PE information: section name: .qtmetad
Source: qjp99A6.tmp.2.dr	Static PE information: section name: .qtmetad
Source: qsv9A34.tmp.2.dr	Static PE information: section name: .qtmetad
Source: qsv9A54.tmp.2.dr	Static PE information: section name: .qtmetad
Source: qtg9B02.tmp.2.dr	Static PE information: section name: .qtmetad
Source: qtg9B13.tmp.2.dr	Static PE information: section name: .qtmetad
Source: qti9B63.tmp.2.dr	Static PE information: section name: .qtmetad
Source: qti9B93.tmp.2.dr	Static PE information: section name: .qtmetad
Source: qwb9C22.tmp.2.dr	Static PE information: section name: .qtmetad
Source: qwb9C32.tmp.2.dr	Static PE information: section name: .qtmetad
Source: qwe9CA2.tmp.2.dr	Static PE information: section name: .qtmetad
Source: qwe9CA2.tmp.2.dr	Static PE information: section name: _RDATA
Source: qwe9CB2.tmp.2.dr	Static PE information: section name: .qtmetad
Source: qmi9E6A.tmp.2.dr	Static PE information: section name: .qtmetad
Source: qmi9E7A.tmp.2.dr	Static PE information: section name: .qtmetad
Source: qofA0BE.tmp.2.dr	Static PE information: section name: .qtmetad
Source: qofA0FE.tmp.2.dr	Static PE information: section name: .qtmetad
Source: qwiA296.tmp.2.dr	Static PE information: section name: .qtmetad
Source: qwiA2F5.tmp.2.dr	Static PE information: section name: .qtmetad
Source: qsqA549.tmp.2.dr	Static PE information: section name: .qtmetad
Source: qsqA579.tmp.2.dr	Static PE information: section name: .qtmetad
Source: qsqA636.tmp.2.dr	Static PE information: section name: .qtmetad
Source: qsqA647.tmp.2.dr	Static PE information: section name: .qtmetad
Source: qsqA6B6.tmp.2.dr	Static PE information: section name: .qtmetad
Source: qsqA6D6.tmp.2.dr	Static PE information: section name: .qtmetad
Source: Eag859C.tmp.2.dr	Static PE information: section name: .rodata
Source: gdi85CC.tmp.2.dr	Static PE information: section name: Shared
Source: Pla89D3.tmp.2.dr	Static PE information: section name: .rodata
Source: Pla89D3.tmp.2.dr	Static PE information: section name: .data1
Source: Pla89D3.tmp.2.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_0043DEB0 push edi; retn 0001h	2_2_0043DEB3
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_004660B5 push ecx; ret	2_2_004660C8
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_0045B664 push ecx; ret	2_2_0045B677
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Code function: 19_2_00439B85 push ecx; ret	19_2_00439B98
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Code function: 22_2_003D9B85 push ecx; ret	22_2_003D9B98
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Code function: 27_2_00F39B85 push ecx; ret	27_2_00F39B98
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Code function: 28_2_700DEE85 push ecx; ret	28_2_700DEE98
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Code function: 28_2_700DC354 pushad ; ret	28_2_700DC355
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_00CFC170 push ecx; mov dword ptr [esp], 40000000h	30_2_00CFC261
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_00CFC4C0 push ecx; mov dword ptr [esp], 3F000000h	30_2_00CFC5A8
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_00CBCD90 push ecx; mov dword ptr [esp], 40000000h	30_2_00CBCE2E
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_00D0CE35 push ecx; ret	30_2_00D0CE48
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_00CBDC50 push ecx; mov dword ptr [esp], 3F000000h	30_2_00CBDCCA
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_00CBE230 push ecx; mov dword ptr [esp], 40000000h	30_2_00CBE35C
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_00C77400 push ecx; mov dword ptr [esp], 40000000h	30_2_00C7743D
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_00CFB520 push ecx; mov dword ptr [esp], 3F000000h	30_2_00CFB560
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_00CFB520 push ecx; mov dword ptr [esp], 40000000h	30_2_00CFB6FE
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_00CFB520 push ecx; mov dword ptr [esp], 40000000h	30_2_00CFB89F
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_00CFBE30 push ecx; mov dword ptr [esp], 40000000h	30_2_00CFBF18
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_01244264 push ecx; ret	30_2_01244277

Source: lib96F4.tmp.2.dr	Static PE information: section name: .text entropy: 7.40720181647502
Source: msv9724.tmp.2.dr	Static PE information: section name: .text entropy: 6.9206406211911835
Source: isr8AA1.tmp.2.dr	Static PE information: section name: .text entropy: 7.983864400776431

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc120chs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDK.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\gdiplus.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\libiconv2.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qdd97C5.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qtg9B13.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\Sys9794.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\DsSdk.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\Upg8FDB.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qti9B63.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\platforms\qofA0BE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qic98F6.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qic9896.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\platforms\qwiA2F5.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\platforms\qmi9E7A.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\msvcr90.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\Too8DD4.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCG95F3.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\Qt58D82.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqlmysql.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\Qt5PrintSupport.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qgif.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc120fra.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcamp120.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\_is8AD2.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\D3D84EF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc120cht.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\plugins\skins\ComA8AE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\cal8412.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCP9683.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCC8669.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc120esn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCA9581.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCAlarm.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\AnalyzeData.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\lib96F4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc120rus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Users\user\AppData\Local\Temp\{BF172FD2-5CBE-4AB8-9EBD-2755BF244CA6}\Disk1\ISSetup.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\plugins\styles\ComA8DE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc120kor.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\D3D8452.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qtga.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\platforms\qoffscreend.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\libxml2.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qjpeg.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\plugins\skins\ComA87F.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\platforms\qwindowsd.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\dot8A6E.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCCoreDevCfg.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	File created: C:\Users\user\AppData\Local\Temp\{1b103cea-f037-4504-81de-956057b442c3}\.ba1\wixstdba.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\Ope9753.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qic9885.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc120enu.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCV96C4.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\Ana9465.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\isr8AA1.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\AudioIntercom.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc120ita.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\Qt58C27.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCN86E8.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\InstallShield Installation Information\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\set7FB5.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qicns.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qsvg.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqlpsqld.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\MP_8925.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc120cht.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\platforms\qoffscreen.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qjp9985.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	File created: C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\wixstdba.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\platforms\qwiA296.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qico.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCDisplay.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qgi9826.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCPreview.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qwe9CA2.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\plugins\styles\ComA8DF.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qtiff.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\gdi85CC.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCIndustry.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\Ope89B2.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\platforms\qofA0FE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qsvgd.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqA6B6.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\calib.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qtg9B02.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqA549.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qwbmp.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\hpr8777.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\StreamTransClient.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\D3DCompiler_43.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISB8A8F.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\SuperRender.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qsv9A34.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\iconv.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\OpenAL32.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HWD8787.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCPlayBack.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\DsS94A6.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\vcr902B.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCGeneralCfgMgr.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qjp99A6.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\Qt5Widgets.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\Qt5Gui.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qtgad.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qwe9CB2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	File created: C:\Users\user\AppData\Local\Temp\{1b103cea-f037-4504-81de-956057b442c3}\.be\vcredist_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\SystemTransform.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp120.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qdds.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc120enu.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCC95A3.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qgi9815.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\Qt58C87.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc120deu.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\InstallShield Installation Information\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\setup.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\Qt5Xml.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\Eag859C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc120ita.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qsv9A54.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\ToolGuiToolkit.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qddsd.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\InstallShield Installation Information\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\ISS80A0.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\D3DX9_43.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qwebpd.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\Sup8DC4.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqlpsql.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qic9916.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\EagleEyeRender.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qwbmpd.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qicnsd.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qgifd.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\Qt5Network.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\_isres_0x0409.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcr8951.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qti9B93.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\ico87D7.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqA636.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\dotnetinstaller.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\plugins\skins\CommonSkin_D.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\AnalyzeData.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\Qt58AAE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HDFileSDK.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\Qt58B6B.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\hpr.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	File created: C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.be\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\MP_8904.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqlited.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\msv9724.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\MP_VIE.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HDF8747.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\platforms\qminimal.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\Too8EB0.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcr8865.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\Qt58C67.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\vcr92EB.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HWDecode.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqlmysqld.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\InstallShield Installation Information\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\ISSetup.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCVoiceTalk.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\Str9774.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc120jpn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCI9643.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqA579.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\Pla89D3.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\zli9454.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc120deu.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\plugins\skins\CommonSkin.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\vcamp120.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\Aud83F2.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqlite.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc120chs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqA6D6.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCD95D2.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qwb9C32.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\platforms\qminimald.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\Aud9485.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\OpenAL32.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qdd97B4.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\isrt.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\YUVProcess.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qwebp.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\zlib1.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\vcredist_x64_2013.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc120fra.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\Qt5Core.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc120esn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\vcredist_x86.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\platforms\qwindows.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\vcomp120.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\AudioRender.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\PlayCtrl.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\Ana83C2.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCN86B8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc120kor.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\platforms\qmi9E6A.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qjpegd.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCP9663.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCCore.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqA647.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\YUV9415.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc120rus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	File created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qicod.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\HCNetUtils.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\plugins\styles\CommonStyle_D.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Users\user\AppData\Local\Temp\{BF172FD2-5CBE-4AB8-9EBD-2755BF244CA6}\Disk1\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\ToolShareModule.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\plugins\styles\CommonStyle.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\Loc8846.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\MP_Render.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\lib8816.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\Upgrade.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qtiffd.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc120jpn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Program Files (x86)\LocalPlayback\imageformats\qwb9C22.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	File created: C:\ProgramData\Package Cache\{1b103cea-f037-4504-81de-956057b442c3}\vcredist_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe (copy)	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	File created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	File created: C:\ProgramData\Package Cache\{1b103cea-f037-4504-81de-956057b442c3}\vcredist_x64.exe			Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc120chs.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\vcomp120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc120deu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc120ita.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc120deu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc120kor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc120ita.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc120cht.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc120rus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc120rus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\vcamp120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc120kor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc120chs.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc120fra.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc120fra.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcamp120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc120jpn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc120cht.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc120enu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc120jpn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc120esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcomp120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc120enu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc120esn.dll	Jump to dropped file

Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_0041C3F9 __EH_prolog3_GS,GetPrivateProfileIntW,		2_2_0041C3F9
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_00489BF0 GetLastError,SetLastError,_memset,lstrcpyA,_memset,lstrcpyW,lstrlenA,_memset,lstrcpyA,lstrlenA,lstrlenA,_memmove,lstrcmpiA,GetLastError,SetLastError,_memmove,GetPrivateProfileIntA,_memset,lstrcpyA,GetPrivateProfileStringA,GetSysColor,_memset,_memset,GetPrivateProfileSectionNamesA,lstrcpyA,lstrcpyA,lstrlenA,lstrcpyA,GetPrivateProfileStringA,GetSysColor,GetLastError,SysFreeString,SysFreeString,SysFreeString,SetLastError,lstrcpyA,lstrlenA,lstrcmpA,lstrcpyA,GetPrivateProfileStringA,GetProcAddress,		2_2_00489BF0

Creates license or readme file

Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	File created: C:\Users\user~1\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\license.rtf
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	File created: C:\Users\user~1\AppData\Local\Temp\{1b103cea-f037-4504-81de-956057b442c3}\.ba1\license.rtf
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	File created: C:\Users\user~1\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\license.rtf
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	File created: C:\Users\user~1\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\license.rtf

Boot Survival

Creates or modifies windows services

Source: C:\Users\user\Desktop\LocalPlayback.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore

Jump to behavior

Modifies existing windows services

Source: C:\Windows\System32\SrTasks.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LocalPlayback\	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LocalPlayback\Local Playback User Manual.lnk	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LocalPlayback\LocalPlayback.lnk	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LocalPlayback\Uninstall LocalPlayback.lnk	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {f65db027-aff3-4070-886a-0d87064aabb1}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {f65db027-aff3-4070-886a-0d87064aabb1}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {f65db027-aff3-4070-886a-0d87064aabb1}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {f65db027-aff3-4070-886a-0d87064aabb1}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {1b103cea-f037-4504-81de-956057b442c3}
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {1b103cea-f037-4504-81de-956057b442c3}
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {1b103cea-f037-4504-81de-956057b442c3}
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {1b103cea-f037-4504-81de-956057b442c3}

Hooking and other Techniques for Hiding and Protection

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\LocalPlayback.exe

Code function: 2_2_0044E37D LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_0044E37D

Source: C:\Users\user\Desktop\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains capabilities to detect virtual machines

Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe

File opened / queried: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc120chs.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\System32\mfc120deu.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\Qt58C87.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDK.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InstallShield Installation Information\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\setup.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\Eag859C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\gdiplus.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\libiconv2.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc120ita.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qdd97C5.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qsv9A54.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qddsd.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InstallShield Installation Information\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\ISS80A0.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\D3DX9_43.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qtg9B13.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qwebpd.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\Sup8DC4.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\Sys9794.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\DsSdk.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqlpsql.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qic9916.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\EagleEyeRender.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\Upg8FDB.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qwbmpd.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qti9B63.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qicnsd.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qgifd.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qic9896.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\platforms\qofA0BE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qic98F6.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\platforms\qwiA2F5.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\platforms\qmi9E7A.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\msvcr90.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\_isres_0x0409.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\Too8DD4.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCG95F3.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqlmysql.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\Qt58D82.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qti9B93.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\ico87D7.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qgif.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqA636.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc120fra.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\vcamp120.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\_is8AD2.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\D3D84EF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\System32\mfc120cht.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\plugins\skins\ComA8AE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\dotnetinstaller.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\cal8412.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\plugins\skins\CommonSkin_D.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCP9683.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCC8669.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\Qt58AAE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\System32\mfc120esn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\Qt58B6B.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\MP_8904.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCA9581.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCAlarm.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqlited.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\msv9724.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\lib96F4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\System32\mfc120rus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\MP_VIE.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HDF8747.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{BF172FD2-5CBE-4AB8-9EBD-2755BF244CA6}\Disk1\ISSetup.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\platforms\qminimal.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\plugins\styles\ComA8DE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc120kor.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\D3D8452.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\Too8EB0.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qtga.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\platforms\qoffscreend.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\Qt58C67.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\libxml2.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HWDecode.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqlmysqld.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InstallShield Installation Information\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\ISSetup.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qjpeg.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\plugins\skins\ComA87F.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\platforms\qwindowsd.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\dot8A6E.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCCoreDevCfg.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCVoiceTalk.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{1b103cea-f037-4504-81de-956057b442c3}\.ba1\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc120jpn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\Str9774.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\Ope9753.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qic9885.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\System32\mfc120enu.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCV96C4.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCI9643.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\Ana9465.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\isr8AA1.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\AudioIntercom.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\Pla89D3.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqA579.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\System32\mfc120ita.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\Qt58C27.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCN86E8.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\zli9454.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InstallShield Installation Information\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\set7FB5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc120deu.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qicns.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qsvg.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqlpsqld.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\MP_8925.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc120cht.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qjp9985.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\platforms\qoffscreen.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\plugins\skins\CommonSkin.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\System32\vcamp120.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqlite.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\Aud83F2.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\platforms\qwiA296.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qico.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCDisplay.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qgi9826.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\System32\mfc120chs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqA6D6.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCPreview.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCD95D2.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qwe9CA2.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qwb9C32.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\plugins\styles\ComA8DF.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qtiff.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\platforms\qminimald.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\OpenAL32.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\Aud9485.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\gdi85CC.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qdd97B4.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCIndustry.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\isrt.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\Ope89B2.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qwebp.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\YUVProcess.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\zlib1.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qsvgd.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\System32\mfc120fra.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\platforms\qofA0FE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqA6B6.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\calib.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qtg9B02.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc120esn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\platforms\qwindows.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqA549.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qwbmp.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\System32\vcomp120.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\Ana83C2.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCN86B8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\System32\mfc120kor.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qjpegd.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\platforms\qmi9E6A.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\hpr8777.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCP9663.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCCore.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\YUV9415.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\sqldrivers\qsqA647.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc120rus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\StreamTransClient.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qicod.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\D3DCompiler_43.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qsv9A34.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\OpenAL32.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\iconv.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCPlayBack.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HWD8787.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\DsS94A6.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCGeneralCfgMgr.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\plugins\styles\CommonStyle_D.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qjp99A6.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{BF172FD2-5CBE-4AB8-9EBD-2755BF244CA6}\Disk1\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\plugins\styles\CommonStyle.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\MP_Render.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qtgad.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\lib8816.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qwe9CB2.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qtiffd.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\System32\mfc120jpn.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{1b103cea-f037-4504-81de-956057b442c3}\.be\vcredist_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qwb9C22.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\SystemTransform.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\vcomp120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc120enu.dll	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qdds.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{1b103cea-f037-4504-81de-956057b442c3}\vcredist_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCC95A3.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\LocalPlayback.exe	Dropped PE file which has not been started: C:\Program Files (x86)\LocalPlayback\imageformats\qgi9815.tmp	Jump to dropped file

Found evaded block containing many API calls

Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Evaded block: after key decision

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found evasive API chain checking for process token information

Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe

API coverage: 3.0 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\SrTasks.exe TID: 8092

Thread sleep time: -290000s >= -30000s

Jump to behavior

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Code function: 19_2_0043F195 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 0043F236h	19_2_0043F195
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Code function: 19_2_0043F195 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 0043F22Fh	19_2_0043F195
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Code function: 22_2_003DF195 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 003DF236h	22_2_003DF195
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Code function: 22_2_003DF195 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 003DF22Fh	22_2_003DF195
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Code function: 27_2_00F3F195 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00F3F236h	27_2_00F3F195
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Code function: 27_2_00F3F195 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00F3F22Fh	27_2_00F3F195

Source: C:\Users\user\Desktop\LocalPlayback.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	File Volume queried: C:\Windows FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_00424C8F __EH_prolog3_GS,FindFirstFileW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrlenW,lstrcpyW,lstrcatW,SysStringLen,lstrcatW,GetFileAttributesW,lstrcatW,lstrcmpiW,lstrcpynW,lstrcmpiW,lstrcmpiW,SysStringLen,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,LZOpenFileW,LZOpenFileW,LZCopy,LZClose,LZClose,DeleteFileW,lstrcpyW,	2_2_00424C8F
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_0045145E __EH_prolog3_GS,FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,RemoveDirectoryW,__CxxThrowException@8,DeleteFileW,	2_2_0045145E
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_0044F772 GetProcAddress,SearchPathW,GetModuleFileNameW,FindFirstFileW,VirtualQuery,VirtualProtect,VirtualProtect,	2_2_0044F772
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_0042BF7F FindFirstFileW,GetFileAttributesW,SetFileAttributesW,DeleteFileW,	2_2_0042BF7F
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Code function: 19_2_00428BE8 _memset,FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	19_2_00428BE8
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Code function: 19_2_004466A3 _memset,_memset,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,GetLastError,GetLastError,GetLastError,FindClose,	19_2_004466A3
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Code function: 19_2_00445710 _memset,FindFirstFileW,FindClose,	19_2_00445710
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Code function: 22_2_003C8BE8 _memset,FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	22_2_003C8BE8
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Code function: 22_2_003E66A3 _memset,_memset,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,GetLastError,GetLastError,GetLastError,FindClose,	22_2_003E66A3
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Code function: 22_2_003E5710 _memset,FindFirstFileW,FindClose,	22_2_003E5710
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Code function: 27_2_00F466A3 _memset,_memset,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,GetLastError,GetLastError,GetLastError,FindClose,	27_2_00F466A3
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Code function: 27_2_00F28BE8 _memset,FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	27_2_00F28BE8
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Code function: 27_2_00F45710 _memset,FindFirstFileW,FindClose,	27_2_00F45710
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Code function: 28_2_700DA685 _memset,FindFirstFileW,FindClose,	28_2_700DA685

Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe

30_2_00C51A50

Source: C:\Users\user\Desktop\LocalPlayback.exe

Code function: 2_2_0041C834 CreateFileW,CreateFileMappingW,GetSystemInfo,MapViewOfFile,IsBadReadPtr,UnmapViewOfFile,MapViewOfFile,IsBadReadPtr,GetLastError,

2_2_0041C834

Source: C:\Users\user\Desktop\LocalPlayback.exe	File opened: C:\Users\user~1\	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	File opened: C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	File opened: C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	File opened: C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\FontData.ini	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	File opened: C:\Users\user~1\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	File opened: C:\Users\user~1\AppData\	Jump to behavior

Source: SrTasks.exe, 00000011.00000003.1979159865.000001E88953F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:88
Source: LocalPlayback.exe, 00000002.00000003.2192280789.0000000002CC3000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2191341803.0000000002CB3000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2193014205.0000000002CDB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0bIsVirtualMachinesK
Source: LocalPlayback.exe, 00000002.00000003.2199032197.0000000002DEF000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2198813545.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2434443203.0000000002E0E000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2423416014.0000000002DF6000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2199718658.0000000002DF6000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2424223438.0000000002E07000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2173827960.0000000002DCF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0bIsVirtualMachine,
Source: LocalPlayback.exe, 00000002.00000003.2173827960.0000000002DCF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0bIsVirtualMachine0
Source: LocalPlayback.exe, 00000002.00000003.2173827960.0000000002DCF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0bIsVirtualMachine=%ldat.t=0x0000000
Source: LocalPlayback.exe, 00000002.00000003.2174730969.0000000000844000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2432646353.0000000000885000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2425247455.0000000000885000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2195090458.0000000000884000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2194775220.0000000000880000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2188207802.0000000000844000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0bIsVirtualMachine4
Source: LocalPlayback.exe, 00000002.00000003.2194282526.000000000089C000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2194108617.0000000000890000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2194743909.00000000008A2000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174730969.0000000000890000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2188207802.0000000000890000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2196083127.00000000008A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0_GetVirtualMachineType
Source: LocalPlayback.exe, 00000002.00000003.2173827960.0000000002DCF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0bIsVirtualMachine0x00000000
Source: LocalPlayback.exe, 00000002.00000003.1337188638.0000000002B84000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2433505889.0000000002B84000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2424468858.0000000002B83000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2173154921.0000000005BD4000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1328776964.000000000087D000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1337342198.0000000002B84000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2195158245.0000000002B82000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1337050034.0000000002B84000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2197888428.0000000002B83000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1336897127.0000000002B84000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _IsVirtualMachine
Source: LocalPlayback.exe, 00000002.00000003.2170880571.0000000005CA2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:m
Source: LocalPlayback.exe, 00000002.00000003.1337188638.0000000002B84000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1337342198.0000000002B84000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1337050034.0000000002B84000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1336897127.0000000002B84000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bIsVirtualMachine=%ld
Source: LocalPlayback.exe, 00000002.00000003.1337188638.0000000002B84000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1337342198.0000000002B84000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1337050034.0000000002B84000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1336897127.0000000002B84000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bIsVirtualMachine
Source: LocalPlayback.exe, 00000002.00000003.2194282526.000000000089C000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2194108617.0000000000890000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2194743909.00000000008A2000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174730969.0000000000890000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2188207802.0000000000890000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2196083127.00000000008A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0_IsVirtualMachine\|
Source: LocalPlayback.exe, 00000002.00000003.1328776964.000000000087D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AddIconCallDLLFnComponentViewCreateWindowComponentViewDestroyComponentViewRefreshComponentViewSelectAllComponentViewSetInfoComponentViewSetInfoExCreateFolderDeleteFolderDeleteIconEnableHourGlassEnumFoldersItemsGetCPUTypeGetFontSubGetHandleGetPortsGetSelectedItemStateIsEmptyIsNTAdminIsOSTypeNTIsObjectIsPowerUserLangLoadStringMessageBeepPPathCompactPathPixelPathCrackUrlPathGetDirPathGetDrivePathGetFilePathGetFileExtPathGetFileNamePathGetLongFromShortPathGetPathPathIsValidSyntaxQueryIconReadArrayPropertyReadBoolPropertyReadNumberPropertyReplaceIconShowFolderTextSubSubstituteVerGetFileVersionWriteArrayPropertyWriteBoolPropertyWriteNumberPropertyWriteStringProperty_AppSearch_BrowseForFolder_CCPSearch_CHARArrayToWCHARArray_CalculateAndAddFileCost_CleanupInet_CloseFile_CmdGetHwndDlg_CmdGetMsg_CmdGetParam1_CmdGetParam2_CoGetObject_CompareDWORD_ComponentAddItem_ComponentCompareSizeRequired_ComponentError_ComponentErrorInfo_ComponentFileEnum_ComponentFileInfo_ComponentFilterLanguage_ComponentFilterOS_ComponentGetCost_ComponentGetCostEx_ComponentGetData_ComponentGetItemSize_ComponentGetTotalCost_ComponentGetTotalCostEx_ComponentInitialize_ComponentIsItemSelected_ComponentListItems_ComponentLoadTarget_ComponentMoveData_ComponentPatch_ComponentReinstall_ComponentRemoveAll_ComponentRemoveAllInLogOnly_ComponentSaveTarget_ComponentSelectItem_ComponentSelectNew_ComponentSetData_ComponentSetupTypeEnum_ComponentSetupTypeGetData_ComponentSetupTypeSet_ComponentTotalSize_ComponentTransferData_ComponentUpdate_ComponentValidate_ComponentViewCreate_ComponentViewQueryInfo_CopyBytes_CreateDir_CreateObject_CreateRegistrySet_CreateShellObjects_CtrlGetNotificationCode_CtrlGetParentWindowHelper_CtrlGetSubCommand_CtrlGetUrlForLinkClicked_CtrlSetHtmlContent_CtrlSetMLERichText_DIFxDriverPackageGetPath_DIFxDriverPackageInstall_DIFxDriverPackagePreinstall_DIFxDriverPackageUninstall_DefineDialog_DeleteCHARArray_DialogSetFont_DisableBranding_DisableStatus_Divide_DoInstall_DoSprintf_DotNetCoCreateObject_DotNetUnloadAppDomain_EnableDialogCache_EnablePrevDialog_EnableSkins_EnableStatus_EnableWow64FsRedirection_EndDialog_ExistsDir_ExistsDisk_ExistsFile_ExitInstall_FeatureAddCost_FeatureAddUninstallCost_FeatureGetCost_FeatureInitialize_FeatureSpendCost_FeatureSpendUninstallCost_FileCopy_FloatingPointOperation_GenerateFileMD5SignatureHex_GetByte_GetCurrentDialogName_GetDiskInfo_GetDiskSpaceEx_GetDiskSpaceExEx_GetFont_GetGlobalFlags_GetGlobalMemorySize_GetInetFileSize_GetInetFileTime_GetLine_GetLineSize_GetObject_GetObjectByIndex_GetObjectCount_GetProcessorInfo_GetRunningChildProcess_GetRunningChildProcessEx_GetRunningChildProcessEx2_GetSelectedTreeComponent_GetStandardLangId_GetSupportDir_GetSystemDpi_GetTrueTypeFontFileInfo_GetVirtualMachineType_InetEndofTransfer_InetGetLastError_InetGetNextDisk_InitInstall_IsFontTypefaceNameAvailable_IsInAdminGroup_IsLangSupported_IsSkinLoaded_IsVirtualMachine_IsWindowsME_IsWow64_KillProcesses_ListAddItem_ListAddString_ListCount_ListCreate_ListCurrentIte
Source: LocalPlayback.exe, 0000001E.00000003.2198854322.00000000034CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware&prod_virtual_disk#4&1
Source: SrTasks.exe, 00000011.00000003.1979159865.000001E88953F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: SrTasks.exe, 00000011.00000003.1983702371.000001E8894F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:5
Source: SrTasks.exe, 00000011.00000003.1982316287.000001E88953F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CVMWar&Prod_VMware_SATA_CD00d
Source: LocalPlayback.exe, 0000001E.00000003.2196516371.0000000003502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}g
Source: LocalPlayback.exe, 00000002.00000002.2431896583.00000000007E2000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2424572499.00000000007DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0_IsVirtualMachine
Source: LocalPlayback.exe, 00000002.00000003.1328776964.000000000087D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _GetVirtualMachineType
Source: LocalPlayback.exe, 00000002.00000003.2192280789.0000000002CC3000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2191341803.0000000002CB3000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2193014205.0000000002CDB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0bIsVirtualMachine=%ld
Source: LocalPlayback.exe, 0000001E.00000002.2563398991.00000000033A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000P4
Source: LocalPlayback.exe, 00000002.00000003.2199032197.0000000002DEF000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2198813545.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2434443203.0000000002E0E000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2423416014.0000000002DF6000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2199718658.0000000002DF6000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2424223438.0000000002E07000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2173827960.0000000002DCF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0_GetVirtualMachineTypeieZ
Source: LocalPlayback.exe, 00000002.00000003.2199032197.0000000002DEF000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2174730969.0000000000844000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2198813545.0000000002DDE000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2434443203.0000000002E0E000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2423416014.0000000002DF6000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2432646353.0000000000885000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2425247455.0000000000885000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2193014205.0000000002CA8000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2199718658.0000000002DF6000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2195090458.0000000000884000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0bIsVirtualMachine
Source: LocalPlayback.exe, 0000001E.00000002.2574803336.000000006C7F3000.00000008.00000001.01000000.00000017.sdmp	Binary or memory string: cfl.?AVQEmulationPaintEngine@@
Source: LocalPlayback.exe, 0000001E.00000002.2574803336.000000006C7F3000.00000008.00000001.01000000.00000017.sdmp	Binary or memory string: .?AVQEmulationPaintEngine@@

Source: C:\Users\user\Desktop\LocalPlayback.exe	API call chain: ExitProcess graph end node	graph_2-79928
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	API call chain: ExitProcess graph end node
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	API call chain: ExitProcess graph end node
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	API call chain: ExitProcess graph end node
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\LocalPlayback.exe

Code function: 2_2_00464AFE _memset,IsDebuggerPresent,

2_2_00464AFE

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\LocalPlayback.exe

Code function: 2_2_00479B1B EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

2_2_00479B1B

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\LocalPlayback.exe

Code function: 2_2_00495AB0 LoadLibraryW,GetProcAddress,MonitorFromPoint,GetDC,GetDeviceCaps,ReleaseDC,MulDiv,FreeLibrary,

2_2_00495AB0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\LocalPlayback.exe

Code function: 2_2_0046A319 GetProcessHeap,

2_2_0046A319

Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_00463457 SetUnhandledExceptionFilter,	2_2_00463457
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: 2_2_0046347A SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0046347A
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Code function: 6_2_00007FF75D26DCD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00007FF75D26DCD4
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe	Code function: 6_2_00007FF75D2707D8 SetUnhandledExceptionFilter,	6_2_00007FF75D2707D8
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Code function: 19_2_0043A0AC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_0043A0AC
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Code function: 19_2_00438A42 SetUnhandledExceptionFilter,	19_2_00438A42
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Code function: 19_2_00437EAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_00437EAA
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Code function: 22_2_003DA0AC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_003DA0AC
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Code function: 22_2_003D8A42 SetUnhandledExceptionFilter,	22_2_003D8A42
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Code function: 22_2_003D7EAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_003D7EAA
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Code function: 27_2_00F3A0AC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_00F3A0AC
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Code function: 27_2_00F38A42 SetUnhandledExceptionFilter,	27_2_00F38A42
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Code function: 27_2_00F37EAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	27_2_00F37EAA
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Code function: 28_2_700DB88C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	28_2_700DB88C
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Code function: 28_2_700DC9C1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	28_2_700DC9C1
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_00D0D288 ?terminate@@YAXXZ,__crtSetUnhandledExceptionFilter,	30_2_00D0D288
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: 30_2_01246266 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	30_2_01246266

HIPS / PFW / Operating System Protection Evasion

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Process created: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe "c:\users\user\appdata\local\temp\{77f7b223-84f4-43ae-9469-cc107488bb8b}\{6674bcc5-bc57-446b-b83b-fa53501e0fdc}\vcredist_x64_2013.exe" /q -burn.unelevated burnpipe.{0942dd9a-af4a-432e-bd2d-a92ffbedb9e9} {f3730af5-9ee5-4b54-a568-50e8ba9679b4} 1876
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Process created: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe "c:\users\user\appdata\local\temp\{77f7b223-84f4-43ae-9469-cc107488bb8b}\{6674bcc5-bc57-446b-b83b-fa53501e0fdc}\vcredist_x64_2013.exe" /q -burn.unelevated burnpipe.{0942dd9a-af4a-432e-bd2d-a92ffbedb9e9} {f3730af5-9ee5-4b54-a568-50e8ba9679b4} 1876

Source: C:\Users\user\Desktop\LocalPlayback.exe

Code function: 2_2_0041B88A __EH_prolog3_GS,_memset,_memset,_memset,_memset,_memset,_memset,InitializeSecurityDescriptor,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,SetSecurityDescriptorDacl,CoInitializeSecurity,

2_2_0041B88A

Source: C:\Users\user\Desktop\LocalPlayback.exe

Code function: 2_2_0045004E GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,

2_2_0045004E

Source: LocalPlayback.exe, 00000002.00000003.2174730969.0000000000844000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2432330466.000000000085A000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2201835616.0000000000859000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OPTYPE_PROGMAN
Source: LocalPlayback.exe, 00000002.00000003.2174730969.0000000000844000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2201787489.0000000000860000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2196340763.000000000084F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OPTYPE_PROGMAN7j
Source: LocalPlayback.exe, 00000002.00000003.1302943701.0000000002920000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: ISLOG_VERSION_INFO..\..\..\Shared\LogServices2\LogDB.cppOPTYPE_PROGMANISLOGDB_USER_PROPERTIES<
Source: LocalPlayback.exe, 00000002.00000003.2174730969.0000000000844000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2432330466.000000000085A000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2201835616.0000000000859000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OPTYPE_PROGMANes
Source: LocalPlayback.exe, 0000001E.00000002.2573965503.000000006C1B4000.00000002.00000001.01000000.00000018.sdmp	Binary or memory string: QTrayIconMessageWindowClassTaskbarCreatedChangeWindowMessageFilterExuser32ChangeWindowMessageFilterThe platform plugin failed to create a message window.Shell_NotifyIconGetRectShell_TrayWndTrayNotifyWndSysPagerToolbarWindow32`

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\LocalPlayback.exe

Code function: 2_2_004634AA cpuid

2_2_004634AA

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,GetLocaleInfoW,	2_2_0046DC40
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,	2_2_00469E2F
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	2_2_00479E97
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: EnumSystemLocalesW,	2_2_0046DEB0
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	2_2_0046DF0C
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	2_2_0046DF89
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,	2_2_0046E00C
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: GetLocaleInfoW,	2_2_0046E1FF
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: GetLocaleInfoW,TranslateCharsetInfo,IsValidLocale,	2_2_0041237B
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_0046E327
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	2_2_0046E3D4
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: _memset,_TranslateName,_TranslateName,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	2_2_0046E4A8
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: EnumSystemLocalesW,	2_2_0046E9A7
Source: C:\Users\user\Desktop\LocalPlayback.exe	Code function: GetLocaleInfoW,	2_2_0046EA2D
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Code function: GetLocaleInfoA,	30_2_01262289

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\LocalPlayback.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LocalPlayback.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\logo.png VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{1b103cea-f037-4504-81de-956057b442c3}\.ba1\logo.png VolumeInformation
Source: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\logo.png VolumeInformation
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Queries volume information: C:\Program Files (x86)\LocalPlayback\platforms\qminimal.dll VolumeInformation
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Queries volume information: C:\Program Files (x86)\LocalPlayback\platforms\qminimald.pdb VolumeInformation
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Queries volume information: C:\Program Files (x86)\LocalPlayback\platforms\qoffscreen.dll VolumeInformation
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Queries volume information: C:\Program Files (x86)\LocalPlayback\platforms\qoffscreend.pdb VolumeInformation
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Queries volume information: C:\Program Files (x86)\LocalPlayback\platforms\qwindowsd.dll VolumeInformation
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Queries volume information: C:\Program Files (x86)\LocalPlayback\platforms\qwindowsd.pdb VolumeInformation
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Queries volume information: C:\Program Files (x86)\LocalPlayback\plugins\styles\CommonStyle.dll VolumeInformation
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Queries volume information: C:\Program Files (x86)\LocalPlayback\plugins\styles\CommonStyle_D.dll VolumeInformation
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Queries volume information: C:\Program Files (x86)\LocalPlayback\translations\LocalPlayback_en.qm VolumeInformation
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Queries volume information: C:\Program Files (x86)\LocalPlayback\translations\ToolGuiToolkit_en.qm VolumeInformation
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Queries volume information: C:\Program Files (x86)\LocalPlayback\translations\ToolShareModule_en.qm VolumeInformation
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Queries volume information: C:\Program Files (x86)\LocalPlayback\plugins\skins\CommonSkin.dll VolumeInformation
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Queries volume information: C:\Program Files (x86)\LocalPlayback\plugins\styles\CommonStyle.dll VolumeInformation
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Queries volume information: C:\Program Files (x86)\LocalPlayback\imageformats\qdds.dll VolumeInformation
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Queries volume information: C:\Program Files (x86)\LocalPlayback\imageformats\qddsd.pdb VolumeInformation
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Queries volume information: C:\Program Files (x86)\LocalPlayback\imageformats\qgif.dll VolumeInformation
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Queries volume information: C:\Program Files (x86)\LocalPlayback\imageformats\qgifd.dll VolumeInformation
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Queries volume information: C:\Program Files (x86)\LocalPlayback\imageformats\qtiffd.dll VolumeInformation
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Queries volume information: C:\Program Files (x86)\LocalPlayback\imageformats\qwbmpd.dll VolumeInformation
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Queries volume information: C:\Program Files (x86)\LocalPlayback\imageformats\qwbmpd.pdb VolumeInformation
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Queries volume information: C:\Program Files (x86)\LocalPlayback\imageformats\qwebpd.dll VolumeInformation
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Queries volume information: C:\Program Files (x86)\LocalPlayback\Settings.xml VolumeInformation
Source: C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe

Code function: 19_2_004135A5 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,CreateNamedPipeW,GetLastError,

19_2_004135A5

Source: C:\Users\user\Desktop\LocalPlayback.exe

Code function: 2_2_0043A720 __EH_prolog3_GS,GetCurrentProcessId,_memset,GetLocalTime,GetModuleFileNameW,

2_2_0043A720

Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe

Code function: 19_2_00419A5A GetUserNameW,GetLastError,

19_2_00419A5A

Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe

Code function: 19_2_00447D79 GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,

19_2_00447D79

Source: C:\Users\user\Desktop\LocalPlayback.exe

Code function: 2_2_004501B9 GetVersion,

2_2_004501B9

Source: C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x86.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	4 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 Input Capture	12 System Time Discovery	Remote Services	11 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	13 Command and Scripting Interpreter	22 Windows Service	1 Access Token Manipulation	3 Obfuscated Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Input Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	11 Registry Run Keys / Startup Folder	22 Windows Service	11 Install Root Certificate	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	3 Process Injection	2 Software Packing	NTDS	5 File and Directory Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	37 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	41 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Masquerading	DCSync	2 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Virtualization/Sandbox Evasion	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	3 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LocalPlayback.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\InstallShield Installation Information\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\ISS80A0.tmp	4%	ReversingLabs
C:\Program Files (x86)\InstallShield Installation Information\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\ISSetup.dll (copy)	4%	ReversingLabs
C:\Program Files (x86)\InstallShield Installation Information\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\set7FB5.tmp	0%	ReversingLabs
C:\Program Files (x86)\InstallShield Installation Information\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\setup.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\Ana83C2.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\AnalyzeData.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\Aud83F2.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\AudioRender.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\D3D8452.tmp	3%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\D3D84EF.tmp	3%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\D3DCompiler_43.dll (copy)	3%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\D3DX9_43.dll (copy)	3%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\Eag859C.tmp	3%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\EagleEyeRender.dll (copy)	3%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCC8669.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCCore.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCN86B8.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCN86E8.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDK.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\Ana9465.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\AnalyzeData.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\Aud9485.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\AudioIntercom.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\DsS94A6.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\DsSdk.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCA9581.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCAlarm.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCC95A3.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCCoreDevCfg.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCD95D2.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCDisplay.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCG95F3.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCGeneralCfgMgr.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCI9643.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCIndustry.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCP9663.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCP9683.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCPlayBack.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCPreview.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCV96C4.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\HCVoiceTalk.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\Ope9753.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\OpenAL32.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\Str9774.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\StreamTransClient.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\Sys9794.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\SystemTransform.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\lib96F4.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\libiconv2.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\msv9724.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetSDKCom\msvcr90.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HCNetUtils.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HDF8747.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HDFileSDK.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HWD8787.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\HWDecode.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\Loc8846.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\MP_8904.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\MP_8925.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\MP_Render.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\MP_VIE.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\Ope89B2.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\OpenAL32.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\Pla89D3.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\PlayCtrl.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\Qt58AAE.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\Qt58B6B.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\Qt58C27.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\Qt58C67.tmp	2%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\Qt58C87.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\Qt58D82.tmp	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\Qt5Core.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\Qt5Gui.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\Qt5Network.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\Qt5PrintSupport.dll (copy)	2%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\Qt5Widgets.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\LocalPlayback\Qt5Xml.dll (copy)	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
hikdownload.hik-connect.com	49.51.129.211	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.phreedom.org/md5)	LocalPlayback.exe, 0000001E.00000002.2571774893.000000006B4F0000.00000002.00000001.01000000.00000021.sdmp	false		unknown
http://=0x%04x.iniMS	LocalPlayback.exe, 00000002.00000000.1288293705.00000000004AD000.00000002.00000001.01000000.00000004.sdmp, LocalPlayback.exe, 00000002.00000002.2430910825.00000000004AD000.00000002.00000001.01000000.00000004.sdmp	false		unknown
http://www.phreedom.org/md5)08:27	LocalPlayback.exe, 0000001E.00000002.2571774893.000000006B4F0000.00000002.00000001.01000000.00000021.sdmp	false		unknown
http://wixtoolset.org/schemas/thmutil/2010	vcredist_x86.exe, 00000014.00000003.1868826765.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp, vcredist_x86.exe, 00000014.00000003.1869418883.00000000027D0000.00000004.00000020.00020000.00000000.sdmp, vcredist_x86.exe, 00000014.00000003.1793238511.000000000062F000.00000004.00000020.00020000.00000000.sdmp, vcredist_x64_2013.exe, 00000017.00000003.1934969780.00000000018B0000.00000004.00000020.00020000.00000000.sdmp, vcredist_x64_2013.exe, 00000017.00000003.1933566497.000000000391B000.00000004.00000800.00020000.00000000.sdmp, vcredist_x86.exe, 0000001B.00000003.1935920151.0000000000652000.00000004.00000020.00020000.00000000.sdmp, vcredist_x86.exe, 0000001C.00000002.2560839508.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, vcredist_x86.exe, 0000001C.00000002.2556580978.0000000000920000.00000004.00000020.00020000.00000000.sdmp, vcredist_x86.exe, 0000001C.00000003.1938300398.00000000009AD000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ns.adobe.co	LocalPlayback.exe, 0000001E.00000002.2564948444.0000000003917000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ocsp.thawte.com0	LocalPlayback.exe, 00000002.00000003.1328776964.000000000087D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.company.comt	LocalPlayback.exe, 00000002.00000003.1337188638.0000000002B84000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2433505889.0000000002B84000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2424468858.0000000002B83000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1337342198.0000000002B84000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2195158245.0000000002B82000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1337050034.0000000002B84000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2197888428.0000000002B83000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1336897127.0000000002B84000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2428892620.0000000002B83000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://qt-project.org/xml/features/report-whitespace-only-CharData	LocalPlayback.exe, 0000001E.00000002.2571320041.000000006B3F9000.00000002.00000001.01000000.00000022.sdmp	false		unknown
http://www.hikvision.comX	LocalPlayback.exe, 00000002.00000003.2174730969.0000000000844000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2188207802.0000000000844000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://xml.org/sax/features/namespaces	LocalPlayback.exe, 0000001E.00000002.2571320041.000000006B3F9000.00000002.00000001.01000000.00000022.sdmp	false		unknown
http://deviis4.installshield.com/NetNirvana/m	LocalPlayback.exe, 00000002.00000003.2174730969.0000000000844000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2196340763.000000000084F000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2188207802.0000000000844000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://hikdownload.hik-connect.com/4200/tool/windows/LocalPlayback/v/standard/en/LocalPlayback	LocalPlayback.exe, 0000001E.00000002.2565211131.0000000003A2A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://xml.org/sax/features/namespaceshttp://xml.org/sax/features/namespace-prefixeshttp://trolltech	LocalPlayback.exe, 0000001E.00000002.2571320041.000000006B3F9000.00000002.00000001.01000000.00000022.sdmp	false		unknown
http://deviis4.installshield.com/NetNirvana/	LocalPlayback.exe, 00000002.00000003.2197605938.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://xml.org/sax/features/namespace-prefixes	LocalPlayback.exe, 0000001E.00000002.2571320041.000000006B3F9000.00000002.00000001.01000000.00000022.sdmp	false		unknown
http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d	LocalPlayback.exe, LocalPlayback.exe, 00000002.00000000.1288293705.00000000004AD000.00000002.00000001.01000000.00000004.sdmp, LocalPlayback.exe, 00000002.00000002.2430910825.00000000004AD000.00000002.00000001.01000000.00000004.sdmp, LocalPlayback.exe, 00000002.00000003.1329950331.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1965739685.0000000006600000.00000004.00000800.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1965894729.0000000006600000.00000004.00000800.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1313616804.00000000007EF000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1964381135.0000000006600000.00000004.00000800.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1302943701.0000000002920000.00000040.00001000.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1304570653.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1303819742.00000000007EF000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1315533478.00000000007EF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://bugreports.qt.io/	LocalPlayback.exe, 0000001E.00000002.2571774893.000000006B4F0000.00000002.00000001.01000000.00000021.sdmp	false		unknown
http://hikdownload.hik-connect.com/4200/tool/windows/LocalPlayback/v/standard/en/LocalPlayback.exeF	LocalPlayback.exe, 0000001E.00000002.2565211131.0000000003A2A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.hikvision.comCT	LocalPlayback.exe, 00000002.00000003.2424684901.0000000005CB0000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2436551431.0000000005CB1000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2198375398.0000000005CAF000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2197831927.0000000005CA7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://wixtoolset.org/schemas/thmutil/2010cessR	vcredist_x64_2013.exe, 00000017.00000003.1933566497.000000000391B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.hikvision.comER	LocalPlayback.exe, 00000002.00000003.2424684901.0000000005CB0000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2436551431.0000000005CB1000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2198375398.0000000005CAF000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2197831927.0000000005CA7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	LocalPlayback.exe, 00000002.00000003.1328776964.000000000087D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.hikvision.comal	LocalPlayback.exe, 00000002.00000003.1313616804.00000000007EF000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1304570653.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1303819742.00000000007EF000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1315533478.00000000007EF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.hikvision.com	LocalPlayback.exe, 00000002.00000003.1337342198.0000000002B82000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2424684901.0000000005CB0000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2190273382.0000000005CAF000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2186596203.0000000005CA2000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000002.2436551431.0000000005CB1000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1329950331.0000000002B70000.00000004.00000800.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1965739685.0000000006600000.00000004.00000800.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1965894729.0000000006600000.00000004.00000800.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.1964381135.0000000006600000.00000004.00000800.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2170880571.0000000005CA2000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2198375398.0000000005CAF000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2197831927.0000000005CA7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.hikvision.com4	LocalPlayback.exe, 00000002.00000003.2196340763.000000000084F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://qt-project.org/xml/features/report-start-end-entity	LocalPlayback.exe, 0000001E.00000002.2571320041.000000006B3F9000.00000002.00000001.01000000.00000022.sdmp	false		unknown
http://wixtoolset.org/schemas/thmutil/2010o	vcredist_x64_2013.exe, 00000017.00000003.1933566497.000000000391B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://trolltech.com/xml/features/report-start-end-entity	LocalPlayback.exe, 0000001E.00000002.2571320041.000000006B3F9000.00000002.00000001.01000000.00000022.sdmp	false		unknown
http://www.hikvision.coml=%ld	LocalPlayback.exe, 00000002.00000003.2195158245.0000000002B82000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2197888428.0000000002B83000.00000004.00000020.00020000.00000000.sdmp, LocalPlayback.exe, 00000002.00000003.2200256507.0000000002BA1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.company.com	LocalPlayback.exe, 00000002.00000003.1336775342.0000000002BA9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://trolltech.com/xml/features/report-whitespace-only-CharData	LocalPlayback.exe, 0000001E.00000002.2571320041.000000006B3F9000.00000002.00000001.01000000.00000022.sdmp	false		unknown
http://bugreports.qt.io/finishedServerMicrosoft-IIS/4.Microsoft-IIS/5.Netscape-Enterprise/3.WebLogic	LocalPlayback.exe, 0000001E.00000002.2571774893.000000006B4F0000.00000002.00000001.01000000.00000021.sdmp	false		unknown
http://hikdownload.hik-connect.com/4200/tool/windows/LocalPlayback/v/standard/en/LocalPlayback.exe	LocalPlayback.exe, 0000001E.00000002.2565211131.0000000003A2A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://hikdownload.hik-connect.com.pngloseView.pngr.Q	LocalPlayback.exe, 0000001E.00000002.2563943582.00000000035A0000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
49.51.129.211	hikdownload.hik-connect.com	China		132203	TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541117
Start date and time:	2024-10-24 12:58:46 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LocalPlayback.exe
Detection:	SUS
Classification:	sus24.bank.evad.winEXE@29/455@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 153 Number of non-executed functions: 221
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, VSSVC.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtSetValueKey calls found.
VT rate limit hit for: LocalPlayback.exe

Simulations

Behavior and APIs

Time	Type	Description
08:55:49	API Interceptor	29x Sleep call for process: SrTasks.exe modified
08:56:29	API Interceptor	679x Sleep call for process: LocalPlayback.exe modified
14:55:54	Autostart	Run: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce {f65db027-aff3-4070-886a-0d87064aabb1} "C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe" /burn.runonce

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN	powerpc.elf	Get hash	malicious	Unknown	Browse	124.157.170.101
	https://is.gd/6NgVrQ	Get hash	malicious	HTMLPhisher	Browse	49.51.77.119
	botnet.m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	101.34.109.211
	PO 635614 635613_CQDM.html	Get hash	malicious	HTMLPhisher	Browse	162.62.150.176
	m68k.elf	Get hash	malicious	Unknown	Browse	124.156.108.17
	byte.arm7.elf	Get hash	malicious	Mirai, Okiru	Browse	101.48.49.48
	https://api-restauration.basiic.net/fWmcv/	Get hash	malicious	Unknown	Browse	162.62.150.176
	https://thebatallangroup.taplink.ws/	Get hash	malicious	Unknown	Browse	49.51.78.226
	https://apeidieppe-d.basiic.net/yKKWd	Get hash	malicious	HTMLPhisher	Browse	162.62.150.176
	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAIL.exe	Get hash	malicious	FormBook	Browse	129.226.56.200

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	14057
Entropy (8bit):	5.488271135042784
Encrypted:	false
SSDEEP:	192:4dEDaVRVKBWYkGMFEpbpeHdCRI6AkIRiCRI6AkyRBDEHot42npNaeX:4lpspBJ
MD5:	25B6B5C70F03E72F513BA984BEADB982
SHA1:	DE1E2111B019DDCFD6562021B9ACB01C3E3D95F1
SHA-256:	AD2AA131E0A191F3C78FD5233F314343FABE2EDC09D83A1839FAC772A9D61703
SHA-512:	AE54F888A3E7C448F31C9E136A213D82A3F51D579B468BCCC8C539B0F635E23811E1087441E88F2BA208B69EEEF3302008D183AF5D19DE98B59FD1671E611631
Malicious:	false
Preview:	...@IXOS.@.....@.FXY.@.....@.....@.....@.....@.....@......&.{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}:.Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005..vc_runtimeMinimum_x86.msi.@.....@.R...@.....@........&.{E9934153-EAB1-4DA6-AA72-86C8BB1EDF2C}.....@.....@.....@.....@.......@.....@.....@.......@....:.Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{FE80AAC7-9373-345B-8C89-01D4359338F8}&.{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}.@......&.{0835C947-D6D2-4E52-AF14-0231D04E88EA}&.{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}.@......&.{74260D9F-D644-423B-B2D4-0291EA4BA8BE}&.{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}.@......&.{63B83B20-1AB9-4F49-B0B2-4489724CA96C}&.{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}.@......&.{E08DC543-ADA7-466B-B629-CE908DD9BDE3}&.{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}.@......&.{1A7754D3-744B-439A-B284-BD7A1C24FCFA}&.{

Process:	C:\Users\user\Desktop\LocalPlayback.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (308), with CRLF line terminators
Category:	dropped
Size (bytes):	22490
Entropy (8bit):	3.484827950705229
Encrypted:	false
SSDEEP:	384:CTmyuV//BiTbh/Y4AwC2WrP2DBWa/Oa0Mhs+XVgv:CT6V//BiXh/N/lWr0aa0Mhs+XVgv
MD5:	8586214463BD73E1C2716113E5BD3E13
SHA1:	F02E3A76FD177964A846D4AA0A23F738178DB2BE
SHA-256:	089D3068E42958DD2C0AEC668E5B7E57B7584ACA5C77132B1BCBE3A1DA33EF54
SHA-512:	309200F38D0E29C9AAA99BB6D95F4347F8A8C320EB65742E7C539246AD9B759608BD5151D1C5D1D05888979DAA38F2B6C3BF492588B212B583B8ADBE81FA161B
Malicious:	false
Preview:	..[.0.x.0.4.0.9.].....1.1.0.0.=.S.e.t.u.p. .I.n.i.t.i.a.l.i.z.a.t.i.o.n. .E.r.r.o.r.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. .S.e.t.u.p. .i.s. .p.r.e.p.a.r.i.n.g. .t.h.e. .%.2.,. .w.h.i.c.h. .w.i.l.l. .g.u.i.d.e. .y.o.u. .t.h.r.o.u.g.h. .t.h.e. .p.r.o.g.r.a.m. .s.e.t.u.p. .p.r.o.c.e.s.s... . .P.l.e.a.s.e. .w.a.i.t.......1.1.0.3.=.C.h.e.c.k.i.n.g. .O.p.e.r.a.t.i.n.g. .S.y.s.t.e.m. .V.e.r.s.i.o.n.....1.1.0.4.=.C.h.e.c.k.i.n.g. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. .V.e.r.s.i.o.n.....1.1.0.5.=.C.o.n.f.i.g.u.r.i.n.g. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.C.o.n.f.i.g.u.r.i.n.g. .%.s.....1.1.0.7.=.S.e.t.u.p. .h.a.s. .c.o.m.p.l.e.t.e.d. .c.o.n.f.i.g.u.r.i.n.g. .t.h.e. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .o.n. .y.o.u.r. .s.y.s.t.e.m... .T.h.e. .s.y.s.t.e.m. .n.e.e.d.s. .t.o. .b.e. .r.e.s.t.a.r.t.e.d. .i.n. .o.r.d.e.r. .t.o. .c.o.n.t.i.n.u.e. .w.i.t.h. .t.h.e. .i.n.s.t.a.l.l.a.t.i.o.n... .P.l.e.a.s.e. .c.l.i.c.k. .R.e.s.t.a.r.t. .t.o. .r.e.b.o.o.t. .t.h.e. .s.y.s.t.e.m.......1.1.0.8.

Process:	C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe
File Type:	data
Category:	dropped
Size (bytes):	874
Entropy (8bit):	2.8283643978655695
Encrypted:	false
SSDEEP:	12:GZK34pgMClGttDq+xUFZMAKL+ftun2Q9kXg1Q126TfyeXjcl1sK:cKUgMClc2ZMAKlcFK1L
MD5:	DFB3C25DD94DF0DCF44D8204DB30A1C2
SHA1:	6CE33E7AF48C627F477FA859E9B1A073503DBF19
SHA-256:	D085564CA40DE3E08A3622688E835BF087E8EA86D9DF3D46AAD9FFA3BADF096B
SHA-512:	637DD13519850E1AA6E0B948005F66DDB5EA24213DA2E8DCB67BDF99AECA23A46E419324E8CE3B8AC5F87E0321604DF94CC57CC38CAE8068BDDAC606E97602B8
Malicious:	false
Preview:	A.......................................................................................................................................................................................................................W.i.x.B.u.n.d.l.e.F.o.r.c.e.d.R.e.s.t.a.r.t.P.a.c.k.a.g.e.................W.i.x.B.u.n.d.l.e.L.a.s.t.U.s.e.d.S.o.u.r.c.e.............................W.i.x.B.u.n.d.l.e.N.a.m.e.....<...M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.3. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .(.x.6.4.). .-. .1.2...0...3.0.5.0.1.........W.i.x.B.u.n.d.l.e.O.r.i.g.i.n.a.l.S.o.u.r.c.e.........C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.{.7.7.F.7.B.2.2.3.-.8.4.F.4.-.4.3.A.E.-.9.4.6.9.-.C.C.1.0.7.4.8.8.B.B.8.B.}.\.{.6.6.7.4.B.C.C.5.-.B.C.5.7.-.4.4.6.B.-.B.8.3.B.-.F.A.5.3.5.0.1.E.0.F.D.C.}.\.v.c.r.e.d.i.s.t._.x.6.4._.2.0.1.3...e.x.e.....................

Process:	C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1085
Entropy (8bit):	5.366402065947335
Encrypted:	false
SSDEEP:	24:tQ8tGMsLzAUOAQ3cP2LZktSQdGQXUPtqoQYXHK+EQYUK+EQXPceRNSQIsc:i8t1QrNQKOZkUQAQkPt3QftQMtQXEBQ8
MD5:	380195E629F3F46561CF38D068BFE0C7
SHA1:	77EC61FB8C13009F67B15C536242C7824A1480BF
SHA-256:	848A232A5452EDF1ECA881D98F8B13E3341139E25D4DF91FF123927A21017766
SHA-512:	B361AC04C0F976450F93A54630E3062E065050AAD4E38B3AB88698ECF582EC8BBAF3D5E309501F71FE2FC05F2A63955F954C46AF2035332F3E9222951D39E781
Malicious:	false
Preview:	[1260:10D0][2024-10-24T08:56:03]i001: Burn v3.7.2829.0, Windows v6.3 (Build 9600: Service Pack 0), path: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe, cmdline: ''..[1260:10D0][2024-10-24T08:56:03]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user~1\AppData\Local\Temp\dd_vcredist_x86_20241024085603.log'..[1260:10D0][2024-10-24T08:56:04]i100: Detect begin, 2 packages..[1260:10D0][2024-10-24T08:56:04]i102: Detected related bundle: {1b103cea-f037-4504-81de-956057b442c3}, type: Upgrade, scope: PerMachine, version: 12.0.30501.0, operation: None..[1260:10D0][2024-10-24T08:56:04]i101: Detected package: vcRuntimeMinimum_x86, state: Present, cached: Complete..[1260:10D0][2024-10-24T08:56:04]i101: Detected package: vcRuntimeAdditional_x86, state: Present, cached: Complete..[1260:10D0][2024-10-24T08:56:04]i052: Condition 'VersionNT >= v6.0 OR (VersionNT = v5.1 AND ServicePackLevel >= 2) OR (VersionNT = v5.2 AND ServicePackLevel >= 1)' eva

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.992730106375394
TrID:	Win32 Executable (generic) a (10002005/4) 95.94% DirectShow filter (201580/2) 1.93% Windows ActiveX control (116523/4) 1.12% Win32 EXE PECompact compressed (v2.x) (59071/9) 0.57% Win32 EXE PECompact compressed (generic) (41571/9) 0.40%
File name:	LocalPlayback.exe
File size:	80'556'152 bytes
MD5:	ef3eafbf2d877473b2802e1add2857ad
SHA1:	c60a150229844a0f1822556700c6a8cefd683a30
SHA256:	88fcc295ae1a01ca93de900d4fd56411dbf197453d07e2c109faa714558bf81b
SHA512:	27c2a3552a8fced7826cff45951cc204d0c26ea23fb2d1bcca3d53f5dd08658c0b1ce230c4d86a8ab4e9fd7cf6dd8a327c03b996114e9735220b68c6b04fadd9
SSDEEP:	1572864:QzzU2JzqdRLou6zU2J6sXLZ7yrapqfs3BflOoLpRw:QV8RFi64d7ymUfAflOgpRw
TLSH:	85083303BA81A02EE6A10131CC7F6E6456947DB74B224A9BB794FE5C2DF02D1B937707
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........X=..6n..6n..6n[2.n..6n.3.n..6n.3.n\|.6n[2.n..6n.3.n..6n...n..6n..7nY.6n...n..6n[2.n..6n[2.n..6n...n..6n[2.n..6nRich..6n.......

Entrypoint:	0x45e1af
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x55F79958 [Tue Sep 15 04:06:48 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	59bf583aed393d5efd11b26367bfdcc8

Signature Valid:	true
Signature Issuer:	CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	19/04/2016 00:56:10 20/04/2019 00:56:10
Subject Chain	CN="HANGZHOU HIKVISION DIGITAL TECHNOLOGY CO.,LTD.", O="HANGZHOU HIKVISION DIGITAL TECHNOLOGY CO.,LTD.", STREET=\u676d\u5dde\u5e02\u897f\u6e56\u533a\u9a6c\u584d\u8def36\u53f7, L=Hangzhou, S=Zhejiang, C=CN, OID.1.3.6.1.4.1.311.60.2.1.2=ZHEJIANG, OID.1.3.6.1.4.1.311.60.2.1.3=CN, SERIALNUMBER=91330000733796106p, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	AA7AE4115F92468FF44FF17DD1EC45F3
Thumbprint SHA-1:	1AAB0FCFCD993B25BCF42041E192C77C254A6A44
Thumbprint SHA-256:	45853064191CA820195581969F53E1FA85294F722825063BBFAFA746CA785AF7
Serial:	11217AC8455F6698571A5CFA13EAC185C34A

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd2ff8	0x12c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xdb000	0x4c328	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x4cceb68	0x4510
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xad740	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xc2950	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xad000	0x6b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xaba3b	0xabc00	a078f72dc5c50680c37fc31180f5fe0e	False	0.4699227278930131	data	6.54130481451023	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xad000	0x28478	0x28600	62fb3997483276798e4411f74dd073da	False	0.42553333010835914	data	5.191327893018176	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xd6000	0x4be4	0x2600	219685e8ad701f96ae982d565dd2110b	False	0.2778577302631579	data	4.352684547786983	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xdb000	0x4c328	0x4c400	ed45db0360676911036ebdd1c16436ca	False	0.35971759733606556	data	6.534164934723333	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
GIF	0xdbed4	0x339f	GIF image data, version 89a, 350 x 624	English	United States	0.9129020052970109
PNG	0xdf274	0x39ed	PNG image data, 360 x 150, 8-bit/color RGBA, non-interlaced			0.9975723244992919
PNG	0xe2c64	0x2fc9	PNG image data, 240 x 227, 8-bit/color RGBA, non-interlaced			0.9968119022316685
RT_BITMAP	0xe5c30	0x14220	Device independent bitmap graphic, 220 x 370 x 8, image size 81400			0.34390764454792394
RT_BITMAP	0xf9e50	0x1b5c	Device independent bitmap graphic, 180 x 75 x 4, image size 6900			0.18046830382638493
RT_BITMAP	0xfb9ac	0x38e4	Device independent bitmap graphic, 180 x 75 x 8, image size 13500			0.26689096402087337
RT_BITMAP	0xff290	0x1238	Device independent bitmap graphic, 60 x 60 x 8, image size 3600			0.23499142367066894
RT_BITMAP	0x1004c8	0x6588	Device independent bitmap graphic, 161 x 152 x 8, image size 24928, resolution 3796 x 3796 px/m, 256 important colors			0.3035934133579563
RT_BITMAP	0x106a50	0x11f88	Device independent bitmap graphic, 161 x 152 x 24, image size 73568, resolution 3780 x 3780 px/m			0.12790729268557766
RT_ICON	0x1189d8	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0			0.21341463414634146
RT_ICON	0x119040	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0			0.34139784946236557
RT_ICON	0x119328	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0			0.5202702702702703
RT_ICON	0x119450	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.47334754797441364
RT_ICON	0x11a2f8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.6101083032490975
RT_ICON	0x11aba0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.596820809248555
RT_ICON	0x11b108	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.2932572614107884
RT_ICON	0x11d6b0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0			0.4343339587242026
RT_ICON	0x11e758	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0			0.7198581560283688
RT_ICON	0x11ebc0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.35618279569892475
RT_ICON	0x11eea8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.42473118279569894
RT_DIALOG	0x11f190	0x1ce	data			0.48917748917748916
RT_DIALOG	0x11f360	0x266	data			0.4527687296416938
RT_DIALOG	0x11f5c8	0x2b0	data			0.438953488372093
RT_DIALOG	0x11f878	0x54	data			0.6904761904761905
RT_DIALOG	0x11f8cc	0x34	data			0.8846153846153846
RT_DIALOG	0x11f900	0xd6	data			0.6495327102803738
RT_DIALOG	0x11f9d8	0x114	data			0.5036231884057971
RT_DIALOG	0x11faec	0xd6	data			0.5841121495327103
RT_DIALOG	0x11fbc4	0x246	data			0.4690721649484536
RT_DIALOG	0x11fe0c	0x3c8	data			0.4194214876033058
RT_DIALOG	0x1201d4	0x14e	data			0.5359281437125748
RT_DIALOG	0x120324	0x1e8	data			0.49385245901639346
RT_DIALOG	0x12050c	0x1c6	data			0.5286343612334802
RT_DIALOG	0x1206d4	0x1ee	data			0.49190283400809715
RT_DIALOG	0x1208c4	0x7c	data			0.7580645161290323
RT_DIALOG	0x120940	0x3bc	data			0.4372384937238494
RT_DIALOG	0x120cfc	0x158	data			0.5581395348837209
RT_DIALOG	0x120e54	0x1da	data			0.5168776371308017
RT_DIALOG	0x121030	0x10a	data			0.6015037593984962
RT_DIALOG	0x12113c	0xde	data			0.6441441441441441
RT_DIALOG	0x12121c	0x1d4	data			0.5085470085470085
RT_DIALOG	0x1213f0	0x1dc	data			0.5210084033613446
RT_DIALOG	0x1215cc	0x294	data			0.48787878787878786
RT_STRING	0x121860	0x160	data	English	United States	0.5340909090909091
RT_STRING	0x1219c0	0x23e	data	English	United States	0.40418118466898956
RT_STRING	0x121c00	0x378	data	English	United States	0.4222972972972973
RT_STRING	0x121f78	0x252	data	English	United States	0.4393939393939394
RT_STRING	0x1221cc	0x1f4	data	English	United States	0.442
RT_STRING	0x1223c0	0x66a	data	English	United States	0.3617539585870889
RT_STRING	0x122a2c	0x366	data	English	United States	0.41379310344827586
RT_STRING	0x122d94	0x27e	data	English	United States	0.4561128526645768
RT_STRING	0x123014	0x518	data	English	United States	0.39800613496932513
RT_STRING	0x12352c	0x882	data	English	United States	0.3002754820936639
RT_STRING	0x123db0	0x23e	data	English	United States	0.45121951219512196
RT_STRING	0x123ff0	0x3ba	data	English	United States	0.3280922431865828
RT_STRING	0x1243ac	0x12c	data	English	United States	0.5266666666666666
RT_STRING	0x1244d8	0x4a	data	English	United States	0.6756756756756757
RT_STRING	0x124524	0xda	data	English	United States	0.6100917431192661
RT_STRING	0x124600	0x110	data	English	United States	0.5845588235294118
RT_STRING	0x124710	0x20a	data	English	United States	0.4521072796934866
RT_STRING	0x12491c	0xba	Matlab v4 mat-file (little endian) P, numeric, rows 0, columns 0	English	United States	0.5860215053763441
RT_STRING	0x1249d8	0xa8	data	English	United States	0.6607142857142857
RT_STRING	0x124a80	0x12a	data	English	United States	0.5201342281879194
RT_STRING	0x124bac	0x422	data	English	United States	0.2741020793950851
RT_STRING	0x124fd0	0x5c2	data	English	United States	0.37720488466757124
RT_STRING	0x125594	0x40	data	English	United States	0.671875
RT_STRING	0x1255d4	0xcaa	data	English	United States	0.2313386798272671
RT_STRING	0x126280	0x284	data	English	United States	0.4363354037267081
RT_GROUP_ICON	0x126504	0x84	data			0.6363636363636364
RT_GROUP_ICON	0x126588	0x14	data			1.25
RT_GROUP_ICON	0x12659c	0x14	data			1.25
RT_VERSION	0x1265b0	0x44c	data			0.4290909090909091
RT_MANIFEST	0x1269fc	0x622	XML 1.0 document, ASCII text, with CRLF line terminators			0.44522292993630574
RT_MANIFEST	0x127020	0x307	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (715), with CRLF line terminators	English	United States	0.4941935483870968

DLL	Import
COMCTL32.dll
VERSION.dll	VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
LZ32.dll	LZClose, LZOpenFileW, LZCopy
msi.dll
KERNEL32.dll	VirtualQuery, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, FindResourceExW, FreeLibrary, LoadLibraryExW, lstrcmpiW, lstrcpynW, lstrcatW, LoadLibraryW, GetPrivateProfileIntW, IsBadReadPtr, CompareStringW, CompareStringA, GetSystemDefaultLangID, GetUserDefaultLangID, ExpandEnvironmentStringsW, GetCurrentDirectoryW, FileTimeToLocalFileTime, GetFileTime, SetFileAttributesW, HeapAlloc, HeapFree, GetProcessHeap, CopyFileW, GetSystemInfo, GetSystemTimeAsFileTime, CreateEventW, CreateMutexW, ReleaseMutex, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, QueryPerformanceFrequency, SetErrorMode, RaiseException, WriteFile, SetFilePointer, GetFileSize, GetFileAttributesW, GetDriveTypeW, GetDiskFreeSpaceW, FindFirstFileW, FindClose, CreateDirectoryW, VerLanguageNameW, IsValidLocale, FreeResource, GetPrivateProfileSectionNamesA, GetPrivateProfileStringA, GetPrivateProfileIntA, lstrcatA, lstrcmpiA, LoadResource, FlushFileBuffers, WriteConsoleW, SetStdHandle, OutputDebugStringW, SetConsoleCtrlHandler, SetFilePointerEx, GetConsoleMode, GetConsoleCP, EnumSystemLocalesW, GetUserDefaultLCID, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetFileType, HeapReAlloc, GetStdHandle, HeapSize, AreFileApisANSI, GetModuleHandleExW, GetStringTypeW, GetCurrentThreadId, GetCPInfo, GetOEMCP, IsValidCodePage, CreateSemaphoreW, GetStartupInfoW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, SetUnhandledExceptionFilter, UnhandledExceptionFilter, FatalAppExitA, GetLocaleInfoW, WideCharToMultiByte, lstrcpyA, GetTickCount, ExitThread, CreateThread, GetExitCodeProcess, ReadFile, GetCommandLineW, FormatMessageW, LocalFree, GetVersionExW, GetWindowsDirectoryW, InterlockedDecrement, InterlockedIncrement, GetTempPathW, CreateFileW, FindResourceW, GlobalFree, GlobalUnlock, GlobalLock, GlobalAlloc, SizeofResource, LockResource, SetLastError, GetLastError, DuplicateHandle, RemoveDirectoryW, DeleteFileW, SetCurrentDirectoryW, lstrlenW, lstrcpyW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, CreateProcessW, Sleep, CloseHandle, GetACP, IsProcessorFeaturePresent, IsDebuggerPresent, RtlUnwind, InterlockedExchange, lstrcpynA, LocalAlloc, FindNextFileW, WritePrivateProfileSectionW, GetPrivateProfileSectionW, lstrcmpW, GetShortPathNameW, GetCurrentThread, QueryPerformanceCounter, ReadConsoleW, SearchPathW, lstrcmpA, SystemTimeToFileTime, ResetEvent, SetEvent, VirtualProtect, Process32NextW, Process32FirstW, CreateToolhelp32Snapshot, GetDateFormatW, GetTimeFormatW, GetTempFileNameW, GetEnvironmentVariableW, CompareFileTime, SetFileTime, MultiByteToWideChar, MoveFileExW, WriteProcessMemory, VirtualProtectEx, GetSystemDirectoryW, FlushInstructionCache, SetThreadContext, GetThreadContext, ResumeThread, TerminateProcess, ExitProcess, GetCurrentProcess, MulDiv, WaitForSingleObject, OpenProcess, GetProcessTimes, lstrlenA, GetLocalTime, GetCurrentProcessId, GetVersion, LCMapStringW, DecodePointer, EncodePointer, LeaveCriticalSection, EnterCriticalSection
USER32.dll	SetActiveWindow, SetDlgItemTextW, GetDlgItem, SetForegroundWindow, DialogBoxIndirectParamW, MoveWindow, SendMessageW, CharUpperBuffW, SetWindowTextW, GetWindowRect, MessageBoxW, GetWindowLongW, SetWindowLongW, LoadIconW, TranslateMessage, wsprintfW, EndDialog, WaitForInputIdle, SystemParametersInfoW, GetWindow, FillRect, GetSysColor, MapWindowPoints, RemovePropW, GetPropW, SetPropW, EndPaint, BeginPaint, EnableMenuItem, GetSystemMetrics, SetFocus, DefWindowProcW, GetMessageW, LoadStringW, LoadImageW, ReleaseDC, GetDC, CreateDialogParamW, GetParent, GetWindowTextW, CharNextW, GetDesktopWindow, GetClientRect, IsWindowEnabled, CreateDialogIndirectParamW, DispatchMessageW, IsDialogMessageW, FindWindowExW, ScreenToClient, EnableWindow, MsgWaitForMultipleObjects, SendDlgItemMessageW, SetWindowPos, ShowWindow, DestroyWindow, IsWindow, ExitWindowsEx, CharUpperW, wsprintfA, CallWindowProcW, CreateWindowExW, DrawIcon, DrawTextW, UpdateWindow, GetWindowDC, InvalidateRect, DrawFocusRect, CopyRect, InflateRect, EnumChildWindows, GetClassNameW, MapDialogRect, RegisterClassExW, GetDlgItemTextW, IntersectRect, MonitorFromPoint, PostMessageW, PeekMessageW, IsWindowVisible
GDI32.dll	SetPixel, TextOutW, SetTextColor, SetBkMode, SetBkColor, SaveDC, RestoreDC, CreateSolidBrush, UnrealizeObject, CreateHalftonePalette, GetDIBColorTable, SelectPalette, SelectObject, RealizePalette, GetSystemPaletteEntries, GetDeviceCaps, DeleteDC, CreatePalette, CreateCompatibleDC, BitBlt, GetObjectW, TranslateCharsetInfo, DeleteObject, CreateFontIndirectW, CreateCompatibleBitmap, CreateDCW, CreatePatternBrush, GetStockObject, GetTextExtentPoint32W, DeleteMetaFile, CreateDIBitmap, CreateBitmap, CreateRectRgn, PatBlt, PlayMetaFile, SelectClipRgn, SetMapMode, SetMetaFileBitsEx, StretchBlt, SetStretchBltMode, SetViewportExtEx, SetViewportOrgEx, SetWindowExtEx, SetWindowOrgEx
ADVAPI32.dll	RegQueryValueExW, RegCreateKeyExW, CryptVerifySignatureW, CryptSignHashW, CryptHashData, CryptCreateHash, CryptAcquireContextW, FreeSid, AllocateAndInitializeSid, EqualSid, GetTokenInformation, OpenThreadToken, RegEnumKeyW, RegCreateKeyW, LookupPrivilegeValueW, AdjustTokenPrivileges, OpenProcessToken, RegOpenKeyW, RegEnumValueW, RegOpenKeyExW, RegQueryInfoKeyW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, RegSetValueExW, RegCloseKey
SHELL32.dll	SHGetMalloc, SHGetPathFromIDListW, SHGetSpecialFolderLocation, ShellExecuteExW
ole32.dll	StringFromGUID2, CoCreateGuid, CoLoadLibrary, CreateItemMoniker, GetRunningObjectTable, CoUninitialize, CoInitializeEx, ProgIDFromCLSID, CreateStreamOnHGlobal, CoInitializeSecurity, CoCreateInstance, CoTaskMemAlloc, CoTaskMemRealloc, CoTaskMemFree
OLEAUT32.dll	VariantInit, LoadTypeLib, RegisterTypeLib, SetErrorInfo, CreateErrorInfo, VarBstrCmp, SysAllocString, SysFreeString, SysStringLen, SysAllocStringLen, SysReAllocStringLen, GetErrorInfo, SysStringByteLen, SysAllocStringByteLen, VariantChangeType, VariantClear, VarUI4FromStr, VarBstrCat
CRYPT32.dll	CertOpenSystemStoreW, CryptAcquireCertificatePrivateKey, CryptImportPublicKeyInfo, CertCompareCertificate, CertAddCertificateContextToStore, CertGetCertificateContextProperty, CertSetCertificateContextProperty, CertGetIssuerCertificateFromStore, CertFindCertificateInStore, CertEnumCertificatesInStore, CertSaveStore, CertOpenStore, PFXImportCertStore
RPCRT4.dll	UuidCreate, UuidToStringW, UuidFromStringW, RpcStringFreeW
gdiplus.dll	GdipGetImageWidth, GdipGetImageHeight, GdipAlloc, GdipFree, GdiplusStartup, GdipCloneImage, GdipDrawImageRectI, GdipSetInterpolationMode, GdipDeleteGraphics, GdipCreateFromHDC, GdipCreateBitmapFromResource, GdipCreateBitmapFromFileICM, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromFile, GdipCreateBitmapFromStream, GdipDisposeImage

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 13:01:16.396188021 CEST	49983	80	192.168.2.7	49.51.129.211
Oct 24, 2024 13:01:16.401561975 CEST	80	49983	49.51.129.211	192.168.2.7
Oct 24, 2024 13:01:16.401751995 CEST	49983	80	192.168.2.7	49.51.129.211
Oct 24, 2024 13:01:16.402729988 CEST	49983	80	192.168.2.7	49.51.129.211
Oct 24, 2024 13:01:16.408006907 CEST	80	49983	49.51.129.211	192.168.2.7
Oct 24, 2024 13:01:17.260489941 CEST	80	49983	49.51.129.211	192.168.2.7
Oct 24, 2024 13:01:17.260694027 CEST	49983	80	192.168.2.7	49.51.129.211

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 13:01:16.368952036 CEST	50746	53	192.168.2.7	1.1.1.1
Oct 24, 2024 13:01:16.389944077 CEST	53	50746	1.1.1.1	192.168.2.7

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 13:01:16.402729988 CEST	97	OUT	GET /4200/tool/windows/LocalPlayback/package.json HTTP/1.1 Host: hikdownload.hik-connect.com
Oct 24, 2024 13:01:17.260489941 CEST	407	IN	HTTP/1.1 404 Not Found Date: Thu, 24 Oct 2024 11:01:17 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 242 Connection: keep-alive Server: Tengine Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 68 72 2f 3e 50 6f 77 65 72 65 64 20 62 79 20 54 65 6e 67 69 6e 65 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body bgcolor="white"><h1>404 Not Found</h1><p>The requested URL was not found on this server.<hr/>Powered by Tengine</body></html>

Target ID:	2
Start time:	06:59:43
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\LocalPlayback.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LocalPlayback.exe"
Imagebase:	0x400000
File size:	80'556'152 bytes
MD5 hash:	EF3EAFBF2D877473B2802E1ADD2857AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	6
Start time:	06:59:48
Start date:	24/10/2024
Path:	C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0F60EF52-B8AE-4C65-B672-4ECBA9C7EF64}
Imagebase:	0x7ff75d260000
File size:	182'008 bytes
MD5 hash:	1AE40C548AE265EFF8D25EA7538A5196
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	11
Start time:	06:59:53
Start date:	24/10/2024
Path:	C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user~1\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3309AE38-3356-4998-B51D-DDEA1CA316CD}
Imagebase:	0x7ff75d260000
File size:	182'008 bytes
MD5 hash:	1AE40C548AE265EFF8D25EA7538A5196
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	17
Start time:	08:55:48
Start date:	24/10/2024
Path:	C:\Windows\System32\SrTasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
Imagebase:	0x7ff711230000
File size:	59'392 bytes
MD5 hash:	2694D2D28C368B921686FE567BD319EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	21
Start time:	08:55:52
Start date:	24/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff6ab9c0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	22
Start time:	08:55:57
Start date:	24/10/2024
Path:	C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\{77F7B223-84F4-43AE-9469-CC107488BB8B}\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\vcredist_x64_2013.exe /q
Imagebase:	0x3b0000
File size:	7'195'312 bytes
MD5 hash:	385194EB89B6741781CB9065D8E8158E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	27
Start time:	08:56:03
Start date:	24/10/2024
Path:	C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe" /burn.runonce
Imagebase:	0xf10000
File size:	461'368 bytes
MD5 hash:	2335AB0C0E19C0EF416D07DF66FEE649
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LocalPlayback.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\6c4c8e.rbs

C:\Config.Msi\6c4c92.rbs

C:\Config.Msi\6c4c96.rbs

C:\Config.Msi\6c4c9a.rbs

C:\Program Files (x86)\InstallShield Installation Information\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\0x0409.ini (copy)

C:\Program Files (x86)\InstallShield Installation Information\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\0x0804.ini (copy)

C:\Program Files (x86)\InstallShield Installation Information\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\0x0814D.tmp

C:\Program Files (x86)\InstallShield Installation Information\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\0x0817D.tmp

C:\Program Files (x86)\InstallShield Installation Information\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\ISS80A0.tmp

C:\Program Files (x86)\InstallShield Installation Information\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\ISSetup.dll (copy)

C:\Program Files (x86)\InstallShield Installation Information\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\dat7B00.tmp

C:\Program Files (x86)\InstallShield Installation Information\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\dat7B01.tmp

C:\Program Files (x86)\InstallShield Installation Information\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\data1.cab (copy)

C:\Program Files (x86)\InstallShield Installation Information\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\data1.hdr (copy)

C:\Program Files (x86)\InstallShield Installation Information\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\lay7AEF.tmp

C:\Program Files (x86)\InstallShield Installation Information\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\layout.bin (copy)

C:\Program Files (x86)\InstallShield Installation Information\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\set7FB5.tmp

C:\Program Files (x86)\InstallShield Installation Information\{6674BCC5-BC57-446B-B83B-FA53501E0FDC}\set81BD.tmp

Windows Analysis Report
LocalPlayback.exe

Target ID:	30
Start time:	08:56:26
Start date:	24/10/2024
Path:	C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LocalPlayback\LocalPlayback.exe"
Imagebase:	0xc30000
File size:	1'877'776 bytes
MD5 hash:	7DE44B22F47E7F2B625C6A3611FE7471
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Execution Coverage:	7.9%
Dynamic/Decrypted Code Coverage:	1.3%
Signature Coverage:	3.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	53

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre