Windows Analysis Report
ClickShare-Extension-Pack-01.01.02.0007.msi

Overview

General Information

Sample name: ClickShare-Extension-Pack-01.01.02.0007.msi
Analysis ID: 1427889
MD5: 56d913ebbe38ab3a7f48abe1a3e9daa6
SHA1: fb6518265932a3d810183f3a6e6a0fde14a2b66e
SHA256: 26f4dc0f8ccedc064aea7fda31a2a8bec32cf7b646fa044cbfdd352f559764e0
Infos:

Detection

Score: 9
Range: 0 - 100
Whitelisted: false
Confidence: 0%

Signatures

Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Enables driver privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains executable resources (Code or Archives)
Queries device information via Setup API
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Startup Folder File Write
Spawns drivers
Stores files to the Windows start menu directory
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Source: C:\Windows\System32\msiexec.exe Window detected: WixUI_Bmp_DialogI &accept the terms in the License Agreement&Print&Back&InstallCancelBarco ClickShare - End-User License Agreement (EULA / Software License)PLEASE READ THIS DOCUMENT CAREFULLY BEFORE OPENING OR DOWNLOADING AND USING SOFTWARE OR HARDWARE PROVIDED TO YOU BY BARCO AS IT CONTAINS THE TERMS AND CONDITIONS BY WHICH BARCO OFFERS TO LICENSE THE SOFTWARE. BY OPENING THE SOFTWARE PACKAGE OR USING THE HARDWARE IN WHICH THE SOFTWARE IS EMBEDDED YOU AGREE TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT.The Software as supplied by BARCO is licensed not sold to you on a non-exclusive basis for use only under the terms of this license and BARCO reserve all rights not expressly granted to you. You may own the carrier on which the Software is provided but the Software is owned and copyrighted by BARCO or by third party suppliers. Your license confers no title or ownership and is not a sale of any rights in the Software or its documentation.By installing executing and/or using the Software either as initial version or as an upgrade update patch or enhancement of a prior release this Software License shall supersede any terms and conditions previously agreed upon (whether or not in writing) between Barco and you with respect to the subject matter of this Software License and such previous terms shall from the date hereof cease to have any force or effect; provided however that this Software License shall not be construed as a renunciation discharge or waiver of any right or remedy provided in any terms and conditions previously agreed upon with respect to a failure of either party to perform any of its obligations under any terms and conditions previously agreed upon. Software SpecificationsThe Software contains the following software products: ClickShare Software License Terms1 This Software License is between you and BARCO NV a corporation organized and existing under the laws of Belgium registered under number BE 0473.191.041 Commercial Companies' Register of Kortrijk having its registered office President Kennedypark 35 at B-8500 Kortrijk Belgium ("Barco") for the use of the Software.You hereby undertake to inform all users authorized by you to make use of the computing device on which the Software is loaded/installed ("Authorized Users") of the terms of this Software License and to bind all Authorized Users to accept all such terms of this Software License as applies to them.2 Barco grants you a limited non-exclusive non-assignable non-transferable user license (without the right to grant sublicenses). Unless specifically agreed upon otherwise between you and Barco or unless specifically allowed by the Software (or its DRM management) itself i) the license under this Software License applies to one (1) copy of the Software to be used on one single computing device and ii) installation on a computing device that may be concurrently accessed by more than one user shall not constitute a permitted use and a separate license is required for
Source: C:\Windows\System32\msiexec.exe Window detected: WixUI_Bmp_DialogI &accept the terms in the License Agreement&Print&Back&InstallCancelBarco ClickShare - End-User License Agreement (EULA / Software License)PLEASE READ THIS DOCUMENT CAREFULLY BEFORE OPENING OR DOWNLOADING AND USING SOFTWARE OR HARDWARE PROVIDED TO YOU BY BARCO AS IT CONTAINS THE TERMS AND CONDITIONS BY WHICH BARCO OFFERS TO LICENSE THE SOFTWARE. BY OPENING THE SOFTWARE PACKAGE OR USING THE HARDWARE IN WHICH THE SOFTWARE IS EMBEDDED YOU AGREE TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT.The Software as supplied by BARCO is licensed not sold to you on a non-exclusive basis for use only under the terms of this license and BARCO reserve all rights not expressly granted to you. You may own the carrier on which the Software is provided but the Software is owned and copyrighted by BARCO or by third party suppliers. Your license confers no title or ownership and is not a sale of any rights in the Software or its documentation.By installing executing and/or using the Software either as initial version or as an upgrade update patch or enhancement of a prior release this Software License shall supersede any terms and conditions previously agreed upon (whether or not in writing) between Barco and you with respect to the subject matter of this Software License and such previous terms shall from the date hereof cease to have any force or effect; provided however that this Software License shall not be construed as a renunciation discharge or waiver of any right or remedy provided in any terms and conditions previously agreed upon with respect to a failure of either party to perform any of its obligations under any terms and conditions previously agreed upon. Software SpecificationsThe Software contains the following software products: ClickShare Software License Terms1 This Software License is between you and BARCO NV a corporation organized and existing under the laws of Belgium registered under number BE 0473.191.041 Commercial Companies' Register of Kortrijk having its registered office President Kennedypark 35 at B-8500 Kortrijk Belgium ("Barco") for the use of the Software.You hereby undertake to inform all users authorized by you to make use of the computing device on which the Software is loaded/installed ("Authorized Users") of the terms of this Software License and to bind all Authorized Users to accept all such terms of this Software License as applies to them.2 Barco grants you a limited non-exclusive non-assignable non-transferable user license (without the right to grant sublicenses). Unless specifically agreed upon otherwise between you and Barco or unless specifically allowed by the Software (or its DRM management) itself i) the license under this Software License applies to one (1) copy of the Software to be used on one single computing device and ii) installation on a computing device that may be concurrently accessed by more than one user shall not constitute a permitted use and a separate license is required for
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe File created: C:\Users\Public\MirrorOpDisplaySetup.log Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\eula.txt Jump to behavior
Source: Binary string: E:\V3DDK_DIR\v3DDKIndirect\trunk\Release\MirrorOpVirtualDisplay1_0.pdb source: MirrorOpVirtualDisplay1_0.dll0.2.dr
Source: Binary string: DIFxApp.pdb source: ClickShare-Extension-Pack-01.01.02.0007.msi, MSIB79.tmp.2.dr, MSI3067.tmp.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr
Source: Binary string: DIFxApp.pdb@UVWATAUH source: ClickShare-Extension-Pack-01.01.02.0007.msi, MSIB79.tmp.2.dr, MSI3067.tmp.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr
Source: Binary string: DIFxAppA.pdb source: ClickShare-Extension-Pack-01.01.02.0007.msi, 3f0637.msi.2.dr, 3f0639.msi.2.dr
Source: Binary string: E:\V3DDK_DIR\v3DDKIndirect\trunk\Release\MirrorOpVirtualDisplay1_2.pdb source: MirrorOpVirtualDisplay1_2.dll0.2.dr
Source: Binary string: E:\V3DDK_DIR\v3DDK_CUSTOMER_SETUP\Release\MirrorOpSetup32.pdb source: MirrorOpSetup32.exe.2.dr
Source: Binary string: DIFxAppA.pdb@UVWATAUH source: ClickShare-Extension-Pack-01.01.02.0007.msi, 3f0637.msi.2.dr, 3f0639.msi.2.dr
Source: Binary string: E:\V3DDK_DIR\v3DDK_CUSTOMER_SETUP\x64\Release\MirrorOpSetup64.pdb source: MirrorOpSetup64.exe, 00000007.00000000.2075885646.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmp, MirrorOpSetup64.exe, 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmp, MirrorOpSetup64.exe.2.dr
Source: Binary string: E:\V3DDK_DIR\v3DDKIndirect\trunk\x64\Release\MirrorOpVirtualDisplay1_2.pdb source: MirrorOpSetup64.exe, 00000007.00000003.2086881460.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2094006943.000002BD8619E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2098477873.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2125330206.00000262BEF3B000.00000004.00000020.00020000.00000000.sdmp, WUDFHost.exe, 0000000D.00000002.4459149218.00007FF8B90B0000.00000002.00000001.01000000.00000005.sdmp, SET15A9.tmp.9.dr, MirrorOpVirtualDisplay1_2.dll.2.dr, SET1338.tmp.7.dr, SET2037.tmp.10.dr
Source: Binary string: E:\V3DDK_DIR\v3DDKIndirect\trunk\x64\Release\MirrorOpVirtualDisplay1_0.pdb source: MirrorOpSetup64.exe, 00000007.00000003.2083285715.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2097148446.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, SET1589.tmp.9.dr, SET11D0.tmp.7.dr, MirrorOpVirtualDisplay1_0.dll.2.dr
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\uica.pdb source: ClickShare-Extension-Pack-01.01.02.0007.msi, 3f0637.msi.2.dr, 3f0639.msi.2.dr
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\wixca.pdb source: ClickShare-Extension-Pack-01.01.02.0007.msi, 3f0637.msi.2.dr, 3f0639.msi.2.dr, MSI8A8.tmp.2.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Code function: 7_2_00007FF642E1F6F0 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 7_2_00007FF642E1F6F0
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Code function: 7_2_00007FF642E11650 GetWindowsDirectoryW,GetLastError,PathAppendW,GetLastError,PathAppendW,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,FindClose,PathStripPathW,SetupUninstallOEMInfW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 7_2_00007FF642E11650
Source: clicksharelauncher.exe, 0000000E.00000002.4458650333.00000000002B1000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: 04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1email.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06www.google.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3login.yahoo.com39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:293e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47login.skype.com92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43addons.mozilla.orgb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0login.live.comd8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0global trustee05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56*.google.com0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4cDigiNotar Root CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Services CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services 1024 CA0a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Root CA G2a4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21CertiID Enterprise Certificate Authority5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41DigiNotar Qualified CA46:9c:2c:b007:27:10:0dDigiNotar Cyber CA07:27:0f:f907:27:10:0301:31:69:b0DigiNotar PKIoverheid CA Overheid en Bedrijven01:31:34:bfDigiNotar PKIoverheid CA Organisatie - G2d6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar Extended Validation CA1e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Public CA 202546:9c:2c:af46:9c:3c:c907:27:14:a9Digisign Server ID (Enrich)4c:0e:63:6aDigisign Server ID - (Enrich)72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0UTN-USERFirst-Hardware41MD5 Collisions Inc. (http://www.phreedom.org/md5)08:27*.EGO.GOV.TR08:64e-islem.kktcmerkezbankasi.org03:1d:a7AC DG Tr equals www.yahoo.com (Yahoo)
Source: clicksharelauncher.exe, 0000000E.00000002.4458650333.00000000002B1000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: http://bugreports.qt.io/
Source: clicksharelauncher.exe, 0000000E.00000002.4458650333.00000000002B1000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: http://bugreports.qt.io/finishedMicrosoft-IIS/4.Microsoft-IIS/5.Netscape-Enterprise/3.WebLogicRocket
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: http://changelogs.ubuntu.com/changelogs/pool/main/p/pixman/pixman_0.10.0-0ubuntu1/libpixman-1-0.copy
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: http://creativecommons.org/licenses/by-sa/3.0/
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, clicksharelauncher.exe.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, clicksharelauncher.exe.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, clicksharelauncher.exe.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, clicksharelauncher.exe.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: 3f0639.msi.2.dr String found in binary or memory: http://dejavu-fonts.org/wiki/License
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: http://doc.qt.io/qt-5/lgpl.html
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: http://freetype.sourceforge.net/FTL.TXT
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: http://ftp.gnu.org/non-gnu/chinese-fonts-truetype/LICENSE
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: http://github.com/aFarkas/html5shiv/blob/master/MIT%20and%20GPL2%20licenses.md
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: http://metadata.ftp-master.debian.org/changelogs//main/libs/libsm/libsm_1.2.2-1_copyright
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: http://metadata.ftp-master.debian.org/changelogs//main/t/ttf-sazanami/ttf-sazanami_20040629-8_copyri
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, clicksharelauncher.exe.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, clicksharelauncher.exe.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, clicksharelauncher.exe.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: 3f0639.msi.2.dr String found in binary or memory: http://opensource.org/licenses/BSD-3-Clause
Source: 3f0639.msi.2.dr String found in binary or memory: http://opensource.org/licenses/GPL-2.0
Source: 3f0639.msi.2.dr String found in binary or memory: http://opensource.org/licenses/ISC
Source: 3f0639.msi.2.dr String found in binary or memory: http://opensource.org/licenses/MIT
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: http://opensource.org/licenses/bsd-license.php
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: http://opensource.org/licenses/mit-license.php
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: http://perldoc.perl.org/perlartistic.html
Source: MirrorOpSetup64.exe, 00000007.00000003.2086881460.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe, 00000007.00000003.2083285715.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2094006943.000002BD8619E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2097148446.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2098477873.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2125330206.00000262BEF3B000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe.2.dr, MirrorOpVirtualDisplay1_2.dll0.2.dr, MirrorOpVirtualDisplay1_0.dll0.2.dr, SET15A9.tmp.9.dr, SET1589.tmp.9.dr, MirrorOpSetup32.exe.2.dr, SET11D0.tmp.7.dr, MirrorOpVirtualDisplay1_2.dll.2.dr, MirrorOpVirtualDisplay1_0.dll.2.dr, SET1338.tmp.7.dr, SET2037.tmp.10.dr String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: MirrorOpSetup64.exe, 00000007.00000003.2086881460.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe, 00000007.00000003.2083285715.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2094006943.000002BD8619E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2097148446.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2098477873.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2125330206.00000262BEF3B000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe.2.dr, MirrorOpVirtualDisplay1_2.dll0.2.dr, MirrorOpVirtualDisplay1_0.dll0.2.dr, SET15A9.tmp.9.dr, SET1589.tmp.9.dr, MirrorOpSetup32.exe.2.dr, SET11D0.tmp.7.dr, MirrorOpVirtualDisplay1_2.dll.2.dr, MirrorOpVirtualDisplay1_0.dll.2.dr, SET1338.tmp.7.dr, SET2037.tmp.10.dr String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: MirrorOpSetup64.exe, 00000007.00000003.2086881460.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe, 00000007.00000003.2083285715.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2094006943.000002BD8619E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2097148446.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2098477873.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2125330206.00000262BEF3B000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe.2.dr, MirrorOpVirtualDisplay1_2.dll0.2.dr, MirrorOpVirtualDisplay1_0.dll0.2.dr, SET15A9.tmp.9.dr, SET1589.tmp.9.dr, MirrorOpSetup32.exe.2.dr, SET11D0.tmp.7.dr, MirrorOpVirtualDisplay1_2.dll.2.dr, MirrorOpVirtualDisplay1_0.dll.2.dr, SET1338.tmp.7.dr, SET2037.tmp.10.dr String found in binary or memory: http://s.symcd.com06
Source: MirrorOpSetup64.exe, 00000007.00000003.2086881460.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe, 00000007.00000003.2083285715.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2094006943.000002BD8619E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2097148446.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2098477873.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2125330206.00000262BEF3B000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe.2.dr, MirrorOpVirtualDisplay1_2.dll0.2.dr, MirrorOpVirtualDisplay1_0.dll0.2.dr, SET15A9.tmp.9.dr, SET1589.tmp.9.dr, MirrorOpSetup32.exe.2.dr, SET11D0.tmp.7.dr, MirrorOpVirtualDisplay1_2.dll.2.dr, MirrorOpVirtualDisplay1_0.dll.2.dr, SET1338.tmp.7.dr, SET2037.tmp.10.dr String found in binary or memory: http://s.symcd.com0_
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, clicksharelauncher.exe.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, clicksharelauncher.exe.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: http://srp.stanford.edu/license.txt
Source: MirrorOpSetup64.exe, 00000007.00000003.2086881460.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe, 00000007.00000003.2083285715.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2094006943.000002BD8619E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2097148446.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2098477873.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2125330206.00000262BEF3B000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe.2.dr, MirrorOpVirtualDisplay1_2.dll0.2.dr, MirrorOpVirtualDisplay1_0.dll0.2.dr, SET15A9.tmp.9.dr, SET1589.tmp.9.dr, MirrorOpSetup32.exe.2.dr, SET11D0.tmp.7.dr, MirrorOpVirtualDisplay1_2.dll.2.dr, MirrorOpVirtualDisplay1_0.dll.2.dr, SET1338.tmp.7.dr, SET2037.tmp.10.dr String found in binary or memory: http://sw.symcb.com/sw.crl0
Source: MirrorOpSetup64.exe, 00000007.00000003.2086881460.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe, 00000007.00000003.2083285715.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2094006943.000002BD8619E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2097148446.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2098477873.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2125330206.00000262BEF3B000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe.2.dr, MirrorOpVirtualDisplay1_2.dll0.2.dr, MirrorOpVirtualDisplay1_0.dll0.2.dr, SET15A9.tmp.9.dr, SET1589.tmp.9.dr, MirrorOpSetup32.exe.2.dr, SET11D0.tmp.7.dr, MirrorOpVirtualDisplay1_2.dll.2.dr, MirrorOpVirtualDisplay1_0.dll.2.dr, SET1338.tmp.7.dr, SET2037.tmp.10.dr String found in binary or memory: http://sw.symcd.com0
Source: MirrorOpSetup64.exe, 00000007.00000003.2086881460.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe, 00000007.00000003.2083285715.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2094006943.000002BD8619E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2097148446.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2098477873.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2125330206.00000262BEF3B000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe.2.dr, MirrorOpVirtualDisplay1_2.dll0.2.dr, MirrorOpVirtualDisplay1_0.dll0.2.dr, SET15A9.tmp.9.dr, SET1589.tmp.9.dr, MirrorOpSetup32.exe.2.dr, SET11D0.tmp.7.dr, MirrorOpVirtualDisplay1_2.dll.2.dr, MirrorOpVirtualDisplay1_0.dll.2.dr, SET1338.tmp.7.dr, SET2037.tmp.10.dr String found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: MirrorOpSetup64.exe, 00000007.00000003.2086881460.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe, 00000007.00000003.2083285715.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2094006943.000002BD8619E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2097148446.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2098477873.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2125330206.00000262BEF3B000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe.2.dr, MirrorOpVirtualDisplay1_2.dll0.2.dr, MirrorOpVirtualDisplay1_0.dll0.2.dr, SET15A9.tmp.9.dr, SET1589.tmp.9.dr, MirrorOpSetup32.exe.2.dr, SET11D0.tmp.7.dr, MirrorOpVirtualDisplay1_2.dll.2.dr, MirrorOpVirtualDisplay1_0.dll.2.dr, SET1338.tmp.7.dr, SET2037.tmp.10.dr String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: MirrorOpSetup64.exe, 00000007.00000003.2086881460.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe, 00000007.00000003.2083285715.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2094006943.000002BD8619E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2097148446.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2098477873.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2125330206.00000262BEF3B000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe.2.dr, MirrorOpVirtualDisplay1_2.dll0.2.dr, MirrorOpVirtualDisplay1_0.dll0.2.dr, SET15A9.tmp.9.dr, SET1589.tmp.9.dr, MirrorOpSetup32.exe.2.dr, SET11D0.tmp.7.dr, MirrorOpVirtualDisplay1_2.dll.2.dr, MirrorOpVirtualDisplay1_0.dll.2.dr, SET1338.tmp.7.dr, SET2037.tmp.10.dr String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: MirrorOpSetup64.exe, 00000007.00000003.2086881460.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe, 00000007.00000003.2083285715.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2094006943.000002BD8619E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2097148446.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2098477873.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2125330206.00000262BEF3B000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe.2.dr, MirrorOpVirtualDisplay1_2.dll0.2.dr, MirrorOpVirtualDisplay1_0.dll0.2.dr, SET15A9.tmp.9.dr, SET1589.tmp.9.dr, MirrorOpSetup32.exe.2.dr, SET11D0.tmp.7.dr, MirrorOpVirtualDisplay1_2.dll.2.dr, MirrorOpVirtualDisplay1_0.dll.2.dr, SET1338.tmp.7.dr, SET2037.tmp.10.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: 3f0639.msi.2.dr String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: http://www.cryptopp.com/License.txt
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: http://www.denx.de/wiki/U-Boot/Licensing
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: http://www.gnu.org/copyleft/fdl.html
Source: 3f0639.msi.2.dr String found in binary or memory: http://www.gnu.org/licenses/gpl.html
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: http://www.gnu.org/licenses/gpl.txt
Source: 3f0639.msi.2.dr String found in binary or memory: http://www.gnu.org/licenses/lgpl.html
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: http://www.gnu.org/licenses/old-licenses/gpl-1.0.html
Source: 3f0639.msi.2.dr String found in binary or memory: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
Source: 3f0639.msi.2.dr String found in binary or memory: http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: http://www.libpng.org/pub/png/src/libpng-LICENSE.txt
Source: 3f0639.msi.2.dr String found in binary or memory: http://www.openssl.org/source/license.html
Source: clicksharelauncher.exe, 0000000E.00000002.4458650333.00000000002B1000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.openssl.org/support/faq.html
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: http://www.php.net/license/3_01.txt
Source: clicksharelauncher.exe, 0000000E.00000002.4458650333.00000000002B1000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.phreedom.org/md5)
Source: clicksharelauncher.exe, 0000000E.00000002.4458650333.00000000002B1000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.phreedom.org/md5)08:27
Source: MirrorOpSetup64.exe, 00000007.00000003.2086881460.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe, 00000007.00000003.2083285715.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2094006943.000002BD8619E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2097148446.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2098477873.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2125330206.00000262BEF3B000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe.2.dr, MirrorOpVirtualDisplay1_2.dll0.2.dr, MirrorOpVirtualDisplay1_0.dll0.2.dr, SET15A9.tmp.9.dr, SET1589.tmp.9.dr, MirrorOpSetup32.exe.2.dr, SET11D0.tmp.7.dr, MirrorOpVirtualDisplay1_2.dll.2.dr, MirrorOpVirtualDisplay1_0.dll.2.dr, SET1338.tmp.7.dr, SET2037.tmp.10.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: SET2037.tmp.10.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: MirrorOpSetup64.exe, 00000007.00000003.2086881460.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe, 00000007.00000003.2083285715.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2094006943.000002BD8619E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2097148446.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2098477873.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2125330206.00000262BEF3B000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe.2.dr, MirrorOpVirtualDisplay1_2.dll0.2.dr, MirrorOpVirtualDisplay1_0.dll0.2.dr, SET15A9.tmp.9.dr, SET1589.tmp.9.dr, MirrorOpSetup32.exe.2.dr, SET11D0.tmp.7.dr, MirrorOpVirtualDisplay1_2.dll.2.dr, MirrorOpVirtualDisplay1_0.dll.2.dr, SET1338.tmp.7.dr, SET2037.tmp.10.dr String found in binary or memory: https://d.symcb.com/rpa0)
Source: MirrorOpSetup64.exe, 00000007.00000003.2086881460.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe, 00000007.00000003.2083285715.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2094006943.000002BD8619E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2097148446.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2098477873.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2125330206.00000262BEF3B000.00000004.00000020.00020000.00000000.sdmp, MirrorOpSetup64.exe.2.dr, MirrorOpVirtualDisplay1_2.dll0.2.dr, MirrorOpVirtualDisplay1_0.dll0.2.dr, SET15A9.tmp.9.dr, SET1589.tmp.9.dr, MirrorOpSetup32.exe.2.dr, SET11D0.tmp.7.dr, MirrorOpVirtualDisplay1_2.dll.2.dr, MirrorOpVirtualDisplay1_0.dll.2.dr, SET1338.tmp.7.dr, SET2037.tmp.10.dr String found in binary or memory: https://d.symcb.com/rpa0.
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: https://github.com/EvanHahn/HumanizeDuration.js
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: https://github.com/ablanco/jquery.pwstrength.bootstrap/blob/master/GPL-LICENSE.txt
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: https://github.com/ablanco/jquery.pwstrength.bootstrap/commit/19480555e8c7c2f417d78a78dac63056fa221f
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: https://github.com/certnanny/sscep/blob/master/COPYRIGHT
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: https://github.com/hayageek/jquery-upload-file
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: https://github.com/malsup/form#copyright-and-license
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: https://github.com/moment/moment/
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: https://github.com/nnnick/Chart.js/blob/master/LICENSE.md
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: https://github.com/scottjehl/Respond/blob/master/LICENSE-MIT
Source: 3f0639.msi.2.dr String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: https://jquery.org/license/
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: https://opensource.org/licenses/BSD-3-Clause
Source: 3f0639.msi.2.dr String found in binary or memory: https://opensource.org/licenses/MIT
Source: 3f0639.msi.2.dr String found in binary or memory: https://osdn.jp/cvs/view/efont/sazanami/README
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: https://raw.github.com/joyent/node/v0.10.26/LICENSE
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: https://wiki.gnome.org/FoundationBoard/Resources/LicensingAgreement
Source: 3f0639.msi.2.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, clicksharelauncher.exe.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: https://www.globalsign.com/repository/06
Source: ClickShare-Extension-Pack-01.01.02.0007.msi, eula.txt.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr String found in binary or memory: https://www.gnu.org/licenses/gpl.html
Drops certificate files (DER)
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\SET15C9.tmp Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\mirroropdisplay.cat (copy) Jump to dropped file
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe File created: C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\mirroropdisplay.cat (copy) Jump to dropped file
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe File created: C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\SET1368.tmp Jump to dropped file
Creates files inside the driver directory
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693} Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\3f0637.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8A8.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{AA1F9CF3-F74D-4EBD-82DA-12D07064FA5C} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB49.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB79.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{AA1F9CF3-F74D-4EBD-82DA-12D07064FA5C} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{AA1F9CF3-F74D-4EBD-82DA-12D07064FA5C}\icon.ico Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\3f0639.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\3f0639.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3067.tmp Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe File created: C:\Windows\INF\c_display.PNF Jump to behavior
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\FileRepository\mirroropdisplay.inf_amd64_81a2ef4ec907e6ad Jump to behavior
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\FileRepository\mirroropdisplay.inf_amd64_81a2ef4ec907e6ad\amd64 Jump to behavior
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\drvstore.tmp Jump to behavior
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\inf\oem4.inf Jump to behavior
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\drivers\UMDF\SET2037.tmp Jump to behavior
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\drivers\UMDF\SET2037.tmp Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI8A8.tmp Jump to behavior
Detected potential crypto function
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Code function: 7_2_00007FF642E11020 7_2_00007FF642E11020
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Code function: 7_2_00007FF642E135F0 7_2_00007FF642E135F0
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Code function: 7_2_00007FF642E197E8 7_2_00007FF642E197E8
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Code function: 7_2_00007FF642E247F4 7_2_00007FF642E247F4
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Code function: 7_2_00007FF642E253AC 7_2_00007FF642E253AC
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Code function: 7_2_00007FF642E1535C 7_2_00007FF642E1535C
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Code function: 7_2_00007FF642E1B9F8 7_2_00007FF642E1B9F8
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Code function: 7_2_00007FF642E22DBC 7_2_00007FF642E22DBC
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Code function: 7_2_00007FF642E22990 7_2_00007FF642E22990
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Code function: 7_2_00007FF642E28568 7_2_00007FF642E28568
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Code function: 7_2_00007FF642E1D6EC 7_2_00007FF642E1D6EC
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Code function: 7_2_00007FF642E1F6F0 7_2_00007FF642E1F6F0
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Code function: 7_2_00007FF642E19AC8 7_2_00007FF642E19AC8
Source: C:\Windows\System32\WUDFHost.exe Code function: 13_2_00007FF8B90AC734 13_2_00007FF8B90AC734
Enables driver privileges
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Process token adjusted: Load Driver Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Code function: String function: 00007FF642E129C0 appears 48 times
PE file contains executable resources (Code or Archives)
Source: MSIB79.tmp.2.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: MSIB79.tmp.2.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: MSIB79.tmp.2.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: MSI3067.tmp.2.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: MSI3067.tmp.2.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: MSI3067.tmp.2.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: ClickShare-Extension-Pack-01.01.02.0007.msi Binary or memory string: OriginalFilenameuica.dll\ vs ClickShare-Extension-Pack-01.01.02.0007.msi
Source: ClickShare-Extension-Pack-01.01.02.0007.msi Binary or memory string: OriginalFilenameDIFxApp.dll vs ClickShare-Extension-Pack-01.01.02.0007.msi
Source: ClickShare-Extension-Pack-01.01.02.0007.msi Binary or memory string: OriginalFilenameDIFxAppA.dll vs ClickShare-Extension-Pack-01.01.02.0007.msi
Source: ClickShare-Extension-Pack-01.01.02.0007.msi Binary or memory string: OriginalFilenamewixca.dll\ vs ClickShare-Extension-Pack-01.01.02.0007.msi
Spawns drivers
Source: unknown Driver loaded: C:\Windows\System32\drivers\WUDFRd.sys
Source: classification engine Classification label: clean9.evad.winMSI@16/61@0/0
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Barco Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe File created: C:\Users\Public\MirrorOpDisplaySetup.log Jump to behavior
Source: C:\Windows\System32\drvinst.exe Mutant created: \BaseNamedObjects\DrvInst.exe_mutex_{5B10AC83-4F13-4fde-8C0B-B85681BA8D73}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:120:WilError_03
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\TEMP\~DFA1094AAB77BE8A5A.TMP Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "clicksharelauncher.exe")
Source: C:\Windows\System32\msiexec.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Windows\System32\msiexec.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: ClickShare-Extension-Pack-01.01.02.0007.msi Static file information: TRID: Microsoft Windows Installer (60509/1) 57.88%
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ClickShare-Extension-Pack-01.01.02.0007.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E6B16BCC263E80D188A4984C7B267598
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /F /IM clicksharelauncher.exe
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding F4B6C0AC556B4BDBCA932BA88603FA42
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe "C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe" install
Source: unknown Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\MirrorOpDisplay.inf" "9" "4208fae43" "0000000000000154" "WinSta0\Default" "000000000000016C" "208" "C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx"
Source: unknown Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "1" "ROOT\DISPLAY\0000" "C:\Windows\System32\DriverStore\FileRepository\mirroropdisplay.inf_amd64_81a2ef4ec907e6ad\mirroropdisplay.inf" "oem4.inf:*:*:1.1.174.61:Root\VID_MIRROROP_VIRTUAL_DISPLAY_0001," "4208fae43" "0000000000000168"
Source: unknown Process created: C:\Windows\System32\WUDFHost.exe "C:\Windows\System32\WUDFHost.exe" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-35dc3092-997a-462b-8ee0-c4c46c580d41 -SystemEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-2348cb75-16eb-4e88-aea2-36cde2ec3571 -IoCancelEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-8f9a7ac6-e24f-4275-b4e5-c5e16ce5d6a7 -NonStateChangingEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-34c938a5-6219-4a04-8fb5-f0a5c593a835 -LifetimeId:f1058ddd-615d-4a9e-a592-7cb571a1dced -DeviceGroupId:v3DDKIndirectGroup -HostArg:0
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe "C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe"
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E6B16BCC263E80D188A4984C7B267598 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding F4B6C0AC556B4BDBCA932BA88603FA42 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe "C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe" install Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe "C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /F /IM clicksharelauncher.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Section loaded: newdev.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Section loaded: devrtl.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Section loaded: drvsetup.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Section loaded: drvstore.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: devrtl.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: drvstore.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: devrtl.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: drvstore.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\WUDFHost.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\System32\WUDFHost.exe Section loaded: wudfplatform.dll Jump to behavior
Source: C:\Windows\System32\WUDFHost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WUDFHost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WUDFHost.exe Section loaded: avrt.dll Jump to behavior
Source: C:\Windows\System32\WUDFHost.exe Section loaded: wpprecorderum.dll Jump to behavior
Source: C:\Windows\System32\WUDFHost.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\System32\WUDFHost.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\System32\WUDFHost.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\WUDFHost.exe Section loaded: wudfx02000.dll Jump to behavior
Source: C:\Windows\System32\WUDFHost.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\System32\WUDFHost.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Section loaded: avrt.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Section loaded: wintab32.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Section loaded: msasn1.dll Jump to behavior
Source: ClickShare Launcher.lnk.2.dr LNK file: ..\..\..\..\..\..\..\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe
Source: ClickShare Launcher.lnk0.2.dr LNK file: ..\..\..\..\..\..\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe
Source: C:\Windows\System32\msiexec.exe Automated click: I accept the terms in the License Agreement
Source: C:\Windows\System32\msiexec.exe Automated click: Install
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\msiexec.exe Window detected: WixUI_Bmp_DialogI &accept the terms in the License Agreement&Print&Back&InstallCancelBarco ClickShare - End-User License Agreement (EULA / Software License)PLEASE READ THIS DOCUMENT CAREFULLY BEFORE OPENING OR DOWNLOADING AND USING SOFTWARE OR HARDWARE PROVIDED TO YOU BY BARCO AS IT CONTAINS THE TERMS AND CONDITIONS BY WHICH BARCO OFFERS TO LICENSE THE SOFTWARE. BY OPENING THE SOFTWARE PACKAGE OR USING THE HARDWARE IN WHICH THE SOFTWARE IS EMBEDDED YOU AGREE TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT.The Software as supplied by BARCO is licensed not sold to you on a non-exclusive basis for use only under the terms of this license and BARCO reserve all rights not expressly granted to you. You may own the carrier on which the Software is provided but the Software is owned and copyrighted by BARCO or by third party suppliers. Your license confers no title or ownership and is not a sale of any rights in the Software or its documentation.By installing executing and/or using the Software either as initial version or as an upgrade update patch or enhancement of a prior release this Software License shall supersede any terms and conditions previously agreed upon (whether or not in writing) between Barco and you with respect to the subject matter of this Software License and such previous terms shall from the date hereof cease to have any force or effect; provided however that this Software License shall not be construed as a renunciation discharge or waiver of any right or remedy provided in any terms and conditions previously agreed upon with respect to a failure of either party to perform any of its obligations under any terms and conditions previously agreed upon. Software SpecificationsThe Software contains the following software products: ClickShare Software License Terms1 This Software License is between you and BARCO NV a corporation organized and existing under the laws of Belgium registered under number BE 0473.191.041 Commercial Companies' Register of Kortrijk having its registered office President Kennedypark 35 at B-8500 Kortrijk Belgium ("Barco") for the use of the Software.You hereby undertake to inform all users authorized by you to make use of the computing device on which the Software is loaded/installed ("Authorized Users") of the terms of this Software License and to bind all Authorized Users to accept all such terms of this Software License as applies to them.2 Barco grants you a limited non-exclusive non-assignable non-transferable user license (without the right to grant sublicenses). Unless specifically agreed upon otherwise between you and Barco or unless specifically allowed by the Software (or its DRM management) itself i) the license under this Software License applies to one (1) copy of the Software to be used on one single computing device and ii) installation on a computing device that may be concurrently accessed by more than one user shall not constitute a permitted use and a separate license is required for
Source: C:\Windows\System32\msiexec.exe Window detected: WixUI_Bmp_DialogI &accept the terms in the License Agreement&Print&Back&InstallCancelBarco ClickShare - End-User License Agreement (EULA / Software License)PLEASE READ THIS DOCUMENT CAREFULLY BEFORE OPENING OR DOWNLOADING AND USING SOFTWARE OR HARDWARE PROVIDED TO YOU BY BARCO AS IT CONTAINS THE TERMS AND CONDITIONS BY WHICH BARCO OFFERS TO LICENSE THE SOFTWARE. BY OPENING THE SOFTWARE PACKAGE OR USING THE HARDWARE IN WHICH THE SOFTWARE IS EMBEDDED YOU AGREE TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT.The Software as supplied by BARCO is licensed not sold to you on a non-exclusive basis for use only under the terms of this license and BARCO reserve all rights not expressly granted to you. You may own the carrier on which the Software is provided but the Software is owned and copyrighted by BARCO or by third party suppliers. Your license confers no title or ownership and is not a sale of any rights in the Software or its documentation.By installing executing and/or using the Software either as initial version or as an upgrade update patch or enhancement of a prior release this Software License shall supersede any terms and conditions previously agreed upon (whether or not in writing) between Barco and you with respect to the subject matter of this Software License and such previous terms shall from the date hereof cease to have any force or effect; provided however that this Software License shall not be construed as a renunciation discharge or waiver of any right or remedy provided in any terms and conditions previously agreed upon with respect to a failure of either party to perform any of its obligations under any terms and conditions previously agreed upon. Software SpecificationsThe Software contains the following software products: ClickShare Software License Terms1 This Software License is between you and BARCO NV a corporation organized and existing under the laws of Belgium registered under number BE 0473.191.041 Commercial Companies' Register of Kortrijk having its registered office President Kennedypark 35 at B-8500 Kortrijk Belgium ("Barco") for the use of the Software.You hereby undertake to inform all users authorized by you to make use of the computing device on which the Software is loaded/installed ("Authorized Users") of the terms of this Software License and to bind all Authorized Users to accept all such terms of this Software License as applies to them.2 Barco grants you a limited non-exclusive non-assignable non-transferable user license (without the right to grant sublicenses). Unless specifically agreed upon otherwise between you and Barco or unless specifically allowed by the Software (or its DRM management) itself i) the license under this Software License applies to one (1) copy of the Software to be used on one single computing device and ii) installation on a computing device that may be concurrently accessed by more than one user shall not constitute a permitted use and a separate license is required for
Source: ClickShare-Extension-Pack-01.01.02.0007.msi Static file information: File size 7888896 > 1048576
Source: Binary string: E:\V3DDK_DIR\v3DDKIndirect\trunk\Release\MirrorOpVirtualDisplay1_0.pdb source: MirrorOpVirtualDisplay1_0.dll0.2.dr
Source: Binary string: DIFxApp.pdb source: ClickShare-Extension-Pack-01.01.02.0007.msi, MSIB79.tmp.2.dr, MSI3067.tmp.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr
Source: Binary string: DIFxApp.pdb@UVWATAUH source: ClickShare-Extension-Pack-01.01.02.0007.msi, MSIB79.tmp.2.dr, MSI3067.tmp.2.dr, 3f0637.msi.2.dr, 3f0639.msi.2.dr
Source: Binary string: DIFxAppA.pdb source: ClickShare-Extension-Pack-01.01.02.0007.msi, 3f0637.msi.2.dr, 3f0639.msi.2.dr
Source: Binary string: E:\V3DDK_DIR\v3DDKIndirect\trunk\Release\MirrorOpVirtualDisplay1_2.pdb source: MirrorOpVirtualDisplay1_2.dll0.2.dr
Source: Binary string: E:\V3DDK_DIR\v3DDK_CUSTOMER_SETUP\Release\MirrorOpSetup32.pdb source: MirrorOpSetup32.exe.2.dr
Source: Binary string: DIFxAppA.pdb@UVWATAUH source: ClickShare-Extension-Pack-01.01.02.0007.msi, 3f0637.msi.2.dr, 3f0639.msi.2.dr
Source: Binary string: E:\V3DDK_DIR\v3DDK_CUSTOMER_SETUP\x64\Release\MirrorOpSetup64.pdb source: MirrorOpSetup64.exe, 00000007.00000000.2075885646.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmp, MirrorOpSetup64.exe, 00000007.00000002.2132103057.00007FF642E2A000.00000002.00000001.01000000.00000004.sdmp, MirrorOpSetup64.exe.2.dr
Source: Binary string: E:\V3DDK_DIR\v3DDKIndirect\trunk\x64\Release\MirrorOpVirtualDisplay1_2.pdb source: MirrorOpSetup64.exe, 00000007.00000003.2086881460.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2094006943.000002BD8619E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2098477873.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2125330206.00000262BEF3B000.00000004.00000020.00020000.00000000.sdmp, WUDFHost.exe, 0000000D.00000002.4459149218.00007FF8B90B0000.00000002.00000001.01000000.00000005.sdmp, SET15A9.tmp.9.dr, MirrorOpVirtualDisplay1_2.dll.2.dr, SET1338.tmp.7.dr, SET2037.tmp.10.dr
Source: Binary string: E:\V3DDK_DIR\v3DDKIndirect\trunk\x64\Release\MirrorOpVirtualDisplay1_0.pdb source: MirrorOpSetup64.exe, 00000007.00000003.2083285715.00000211E8D8C000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000009.00000003.2097148446.000002BD867D1000.00000004.00000020.00020000.00000000.sdmp, SET1589.tmp.9.dr, SET11D0.tmp.7.dr, MirrorOpVirtualDisplay1_0.dll.2.dr
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\uica.pdb source: ClickShare-Extension-Pack-01.01.02.0007.msi, 3f0637.msi.2.dr, 3f0639.msi.2.dr
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\wixca.pdb source: ClickShare-Extension-Pack-01.01.02.0007.msi, 3f0637.msi.2.dr, 3f0639.msi.2.dr, MSI8A8.tmp.2.dr
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Drops PE files
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\MirrorOpVirtualDisplay1_0.dll (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB79.tmp Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\SET1589.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8A8.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Jump to dropped file
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe File created: C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\amd64\SET1338.tmp Jump to dropped file
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe File created: C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\amd64\MirrorOpVirtualDisplay1_2.dll (copy) Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\SET15A9.tmp Jump to dropped file
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe File created: C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\amd64\MirrorOpVirtualDisplay1_0.dll (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\drivers\UMDF\MirrorOpVirtualDisplay1_2.dll (copy) Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\drivers\UMDF\SET2037.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\x86\MirrorOpVirtualDisplay1_2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\amd64\MirrorOpVirtualDisplay1_2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\amd64\MirrorOpVirtualDisplay1_0.dll Jump to dropped file
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe File created: C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\amd64\SET11D0.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\x86\MirrorOpVirtualDisplay1_0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup32.exe Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\MirrorOpVirtualDisplay1_2.dll (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3067.tmp Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\MirrorOpVirtualDisplay1_0.dll (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB79.tmp Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\SET1589.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8A8.tmp Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\SET15A9.tmp Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\drivers\UMDF\MirrorOpVirtualDisplay1_2.dll (copy) Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\drivers\UMDF\SET2037.tmp Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\MirrorOpVirtualDisplay1_2.dll (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3067.tmp Jump to dropped file
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe File created: C:\Users\Public\MirrorOpDisplaySetup.log Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\eula.txt Jump to behavior
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\System32\msiexec.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ClickShare Launcher.lnk Jump to behavior
Creates or modifies windows services
Source: C:\Windows\System32\drivers\WUDFRd.sys Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WUDFRd\Parameters\Wdf Jump to behavior
Modifies existing windows services
Source: C:\Windows\System32\drvinst.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WUDFRd Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\System32\msiexec.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Barco Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Barco\ClickShare Launcher Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Barco\ClickShare Launcher\ClickShare Launcher.lnk Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ClickShare Launcher.lnk Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WUDFHost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WUDFHost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WUDFHost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WUDFHost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Contains functionality to read device registry values (via SetupAPI)
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Code function: 7_2_00007FF642E11020 SetupDiCreateDeviceInfoList,GetLastError,SetupDiCreateDeviceInfoW,GetLastError,GetLastError,lstrlenW,SetupDiSetDeviceRegistryPropertyW,GetLastError,SetupDiGetClassDevsW,GetLastError,SetupDiCallClassInstaller,GetLastError,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyW,GetLastError,SetupDiEnumDeviceInfo,SetupDiDestroyDeviceInfoList, 7_2_00007FF642E11020
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Window / User API: threadDelayed 4906 Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Window / User API: threadDelayed 5093 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\drvinst.exe Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\MirrorOpVirtualDisplay1_0.dll (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIB79.tmp Jump to dropped file
Source: C:\Windows\System32\drvinst.exe Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\SET1589.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI8A8.tmp Jump to dropped file
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\amd64\SET1338.tmp Jump to dropped file
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\amd64\MirrorOpVirtualDisplay1_2.dll (copy) Jump to dropped file
Source: C:\Windows\System32\drvinst.exe Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\SET15A9.tmp Jump to dropped file
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\amd64\MirrorOpVirtualDisplay1_0.dll (copy) Jump to dropped file
Source: C:\Windows\System32\drvinst.exe Dropped PE file which has not been started: C:\Windows\System32\drivers\UMDF\MirrorOpVirtualDisplay1_2.dll (copy) Jump to dropped file
Source: C:\Windows\System32\drvinst.exe Dropped PE file which has not been started: C:\Windows\System32\drivers\UMDF\SET2037.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\x86\MirrorOpVirtualDisplay1_2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\amd64\MirrorOpVirtualDisplay1_2.dll Jump to dropped file
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\amd64\SET11D0.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\amd64\MirrorOpVirtualDisplay1_0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\x86\MirrorOpVirtualDisplay1_0.dll Jump to dropped file
Source: C:\Windows\System32\drvinst.exe Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\amd64\MirrorOpVirtualDisplay1_2.dll (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup32.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI3067.tmp Jump to dropped file
Found evasive API chain (date check)
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Evasive API call chain: GetLocalTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Windows\System32\WUDFHost.exe API coverage: 8.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe TID: 3192 Thread sleep count: 4906 > 30 Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe TID: 3192 Thread sleep time: -2453000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe TID: 3192 Thread sleep count: 5093 > 30 Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe TID: 3192 Thread sleep time: -2546500s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Last function: Thread delayed
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe Last function: Thread delayed
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Code function: 7_2_00007FF642E1F6F0 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose, 7_2_00007FF642E1F6F0
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Code function: 7_2_00007FF642E11650 GetWindowsDirectoryW,GetLastError,PathAppendW,GetLastError,PathAppendW,GetLastError,FindFirstFileW,GetLastError,FindNextFileW,FindClose,PathStripPathW,SetupUninstallOEMInfW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 7_2_00007FF642E11650
Source: setupapi.dev.log.7.dr Binary or memory string: set: BIOS Vendor: VMware, Inc.
Source: clicksharelauncher.exe, 0000000E.00000002.4460053394.0000000001345000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b!S
Source: setupapi.dev.log.7.dr Binary or memory string: sig: Key = vmci.inf
Source: clicksharelauncher.exe, 0000000E.00000002.4460053394.0000000001345000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}a#P
Source: clicksharelauncher.exe, 0000000E.00000002.4459946442.0000000001321000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&0000000000&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: setupapi.dev.log.7.dr Binary or memory string: inf: Service Name = vmci
Source: setupapi.dev.log.7.dr Binary or memory string: idb: {Publish Driver Package: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf} 11:48:39.707
Source: setupapi.dev.log.7.dr Binary or memory string: idb: Indexed 4 device IDs for 'vmci.inf_amd64_68ed49469341f563'.
Source: clicksharelauncher.exe, 0000000E.00000002.4459946442.0000000001303000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+
Source: setupapi.dev.log.7.dr Binary or memory string: set: System Product Name: VMware20,1
Source: setupapi.dev.log.7.dr Binary or memory string: sto: {Configure Driver Package: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf}
Source: clicksharelauncher.exe, 0000000E.00000002.4459946442.00000000012E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: clicksharelauncher.exe, 0000000E.00000002.4459946442.00000000012E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: setupapi.dev.log.7.dr Binary or memory string: sto: {Stage Driver Package: C:\Windows\SoftwareDistribution\Download\Install\vmci.inf} 11:48:39.634
Source: clicksharelauncher.exe, 0000000E.00000002.4460053394.0000000001345000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}`=Q
Source: setupapi.dev.log.7.dr Binary or memory string: flq: Copying 'C:\Windows\SoftwareDistribution\Download\Install\vmci.inf' to 'C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.inf'.
Source: setupapi.dev.log.7.dr Binary or memory string: cpy: Target Path = C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563
Source: setupapi.dev.log.7.dr Binary or memory string: idb: Created driver package object 'vmci.inf_amd64_68ed49469341f563' in SYSTEM database node.
Source: setupapi.dev.log.7.dr Binary or memory string: inf: Image Path = System32\drivers\vmci.sys
Source: setupapi.dev.log.7.dr Binary or memory string: flq: Copying 'C:\Windows\SoftwareDistribution\Download\Install\vmci.sys' to 'C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.sys'.
Source: clicksharelauncher.exe, 0000000E.00000002.4459946442.0000000001303000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2024-04-19T07:47:27:389d_vmware_sata_cd00#4&224f42ef&0
Source: clicksharelauncher.exe, 0000000E.00000003.2168643484.0000000001322000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&00000
Source: setupapi.dev.log.7.dr Binary or memory string: idb: Registered driver package 'vmci.inf_amd64_68ed49469341f563' with 'oem2.inf'.
Source: setupapi.dev.log.7.dr Binary or memory string: inf: Driver package 'vmci.inf' is configurable.
Source: clicksharelauncher.exe, 0000000E.00000002.4459946442.0000000001321000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: clicksharelauncher.exe, 0000000E.00000002.4460053394.0000000001345000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}d5]
Source: clicksharelauncher.exe, 0000000E.00000002.4460053394.0000000001345000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}f9_
Source: setupapi.dev.log.7.dr Binary or memory string: sto: {Core Driver Package Import: vmci.inf_amd64_68ed49469341f563} 11:48:39.704
Source: setupapi.dev.log.7.dr Binary or memory string: flq: Copying 'C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.sys' to 'C:\Windows\System32\drivers\vmci.sys'.
Source: setupapi.dev.log.7.dr Binary or memory string: set: System Manufacturer: VMware, Inc.
Source: clicksharelauncher.exe, 0000000E.00000002.4460053394.0000000001345000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}g?^
Source: clicksharelauncher.exe, 0000000E.00000002.4460053394.0000000001345000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}e;\
Source: setupapi.dev.log.7.dr Binary or memory string: dvs: {Driver Setup Import Driver Package: C:\Windows\SoftwareDistribution\Download\Install\vmci.inf} 11:48:39.178
Source: setupapi.dev.log.7.dr Binary or memory string: idb: Activating driver package 'vmci.inf_amd64_68ed49469341f563'.
Source: setupapi.dev.log.7.dr Binary or memory string: cpy: Published 'vmci.inf_amd64_68ed49469341f563\vmci.inf' to 'oem2.inf'.
Source: setupapi.dev.log.7.dr Binary or memory string: inf: {Add Service: vmci}
Source: clicksharelauncher.exe, 0000000E.00000003.2834299246.000000000132C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: setupapi.dev.log.7.dr Binary or memory string: inf: Created new service 'vmci'.
Source: clicksharelauncher.exe, 0000000E.00000002.4459946442.0000000001303000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}O
Source: setupapi.dev.log.7.dr Binary or memory string: inf: Display Name = VMware VMCI Bus Driver
Source: setupapi.dev.log.7.dr Binary or memory string: set: PCI\VEN_15AD&DEV_0740&SUBSYS_074015AD&REV_10\3&61AAA01&0&3F -> Configured [oem2.inf:PCI\VEN_15AD&DEV_0740&SUBSYS_074015AD,vmci.install.x64.NT] and started (ConfigFlags = 0x00000000).
Source: clicksharelauncher.exe, 0000000E.00000003.2162382507.0000000001322000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}/
Source: setupapi.dev.log.7.dr Binary or memory string: set: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000 -> Configured [disk.inf:GenDisk,disk_install.NT] and started (ConfigFlags = 0x00000000).
Source: clicksharelauncher.exe, 0000000E.00000002.4459946442.0000000001321000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ddtN
Source: clicksharelauncher.exe, 0000000E.00000002.4459946442.0000000001303000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}j
Source: setupapi.dev.log.7.dr Binary or memory string: utl: Driver INF - oem2.inf (C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf)
Source: setupapi.dev.log.7.dr Binary or memory string: set: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000 -> Configured [cdrom.inf:GenCdRom,cdrom_install] and started (ConfigFlags = 0x00000000).
Source: setupapi.dev.log.7.dr Binary or memory string: sig: Installed catalog 'vmci.cat' as 'oem2.cat'.
Source: setupapi.dev.log.7.dr Binary or memory string: sig: FilePath = C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.inf
Source: setupapi.dev.log.7.dr Binary or memory string: inf: {Configure Driver Configuration: vmci.install.x64.NT}
Source: clicksharelauncher.exe, 0000000E.00000002.4459946442.0000000001321000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000000000c5e500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: clicksharelauncher.exe, 0000000E.00000003.2162422103.000000000131A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000c5e500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: setupapi.dev.log.7.dr Binary or memory string: flq: Copying 'C:\Windows\SoftwareDistribution\Download\Install\vmci.cat' to 'C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.cat'.
Source: clicksharelauncher.exe, 0000000E.00000002.4459946442.0000000001321000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&0000000000
Source: clicksharelauncher.exe, 0000000E.00000002.4460053394.000000000133D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000c5e500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\storage#volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: setupapi.dev.log.7.dr Binary or memory string: sig: Catalog = C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.cat
Source: setupapi.dev.log.7.dr Binary or memory string: inf: Section Name = vmci.install.x64.NT
Source: setupapi.dev.log.7.dr Binary or memory string: inf: {Configure Driver: VMware VMCI Bus Device}
Source: clicksharelauncher.exe, 0000000E.00000002.4459946442.0000000001321000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&0000000000d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8
Source: setupapi.dev.log.7.dr Binary or memory string: inf: {Query Configurability: C:\Windows\SoftwareDistribution\Download\Install\vmci.inf} 11:48:39.636
Source: setupapi.dev.log.7.dr Binary or memory string: idb: {Register Driver Package: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf} 11:48:39.707
Source: clicksharelauncher.exe, 0000000E.00000002.4458650333.0000000000D1A000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: .?AVQEmulationPaintEngine@@
Source: C:\Windows\System32\drivers\WUDFRd.sys System information queried: ModuleInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Code function: 7_2_00007FF642E183BC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_00007FF642E183BC
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Code function: 7_2_00007FF642E21CD8 GetProcessHeap, 7_2_00007FF642E21CD8
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe "C:\Program Files (x86)\Barco\ClickShare Extension Pack\Launcher\clicksharelauncher.exe" Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Code function: 7_2_00007FF642E14828 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_00007FF642E14828
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Code function: 7_2_00007FF642E183BC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_00007FF642E183BC
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Code function: 7_2_00007FF642E150B8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_00007FF642E150B8
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Code function: 7_2_00007FF642E1529C SetUnhandledExceptionFilter, 7_2_00007FF642E1529C
Source: C:\Windows\System32\WUDFHost.exe Code function: 13_2_00007FF8B90AC570 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_00007FF8B90AC570
Source: C:\Windows\System32\WUDFHost.exe Code function: 13_2_00007FF8B90ABF64 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 13_2_00007FF8B90ABF64
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe "C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe" install Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /F /IM clicksharelauncher.exe Jump to behavior
Uses taskkill to terminate processes
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\SysWOW64\taskkill.exe" /F /IM clicksharelauncher.exe Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\drvinst.exe drvinst.exe "4" "0" "c:\users\user\appdata\local\temp\{6d6f95e9-2155-cb49-8d2b-437f70f9d0f7}\mirroropdisplay.inf" "9" "4208fae43" "0000000000000154" "winsta0\default" "000000000000016c" "208" "c:\program files (x86)\barco\clickshare extension pack\extended desktop driver\iddcx"
Source: unknown Process created: C:\Windows\System32\WUDFHost.exe "c:\windows\system32\wudfhost.exe" -hostguid:{193a1820-d9ac-4997-8c55-be817523f6aa} -ioeventportname:\umdfcommunicationports\wudf\hostprocess-35dc3092-997a-462b-8ee0-c4c46c580d41 -systemeventportname:\umdfcommunicationports\wudf\hostprocess-2348cb75-16eb-4e88-aea2-36cde2ec3571 -iocanceleventportname:\umdfcommunicationports\wudf\hostprocess-8f9a7ac6-e24f-4275-b4e5-c5e16ce5d6a7 -nonstatechangingeventportname:\umdfcommunicationports\wudf\hostprocess-34c938a5-6219-4a04-8fb5-f0a5c593a835 -lifetimeid:f1058ddd-615d-4a9e-a592-7cb571a1dced -devicegroupid:v3ddkindirectgroup -hostarg:0
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Code function: 7_2_00007FF642E28280 cpuid 7_2_00007FF642E28280
Queries device information via Setup API
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Code function: 7_2_00007FF642E11020 SetupDiCreateDeviceInfoList,GetLastError,SetupDiCreateDeviceInfoW,GetLastError,GetLastError,lstrlenW,SetupDiSetDeviceRegistryPropertyW,GetLastError,SetupDiGetClassDevsW,GetLastError,SetupDiCallClassInstaller,GetLastError,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyW,GetLastError,SetupDiEnumDeviceInfo,SetupDiDestroyDeviceInfoList, 7_2_00007FF642E11020
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\drvinst.exe Queries volume information: C:\Windows\System32\DriverStore\Temp\{3266e6e3-1dae-6a44-ae19-9eb3e91a1693}\mirroropdisplay.cat VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Barco\ClickShare Extension Pack\Extended Desktop Driver\IDDCx\MirrorOpSetup64.exe Code function: 7_2_00007FF642E13F70 GetLocalTime,_invalid_parameter_noinfo_noreturn, 7_2_00007FF642E13F70
Source: C:\Windows\System32\drvinst.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1427889 Sample: ClickShare-Extension-Pack-0... Startdate: 18/04/2024 Architecture: WINDOWS Score: 9 7 msiexec.exe 97 62 2->7         started        10 drvinst.exe 16 2->10         started        12 drvinst.exe 33 2 2->12         started        14 4 other processes 2->14 file3 37 C:\Windows\Installer\MSIB79.tmp, PE32+ 7->37 dropped 39 C:\Windows\Installer\MSI8A8.tmp, PE32 7->39 dropped 53 8 other files (none is malicious) 7->53 dropped 16 MirrorOpSetup64.exe 1 15 7->16         started        19 msiexec.exe 7->19         started        21 clicksharelauncher.exe 7->21         started        23 msiexec.exe 7->23         started        41 C:\Windows\System32\...\SET15A9.tmp, PE32+ 10->41 dropped 43 C:\Windows\System32\...\SET1589.tmp, PE32+ 10->43 dropped 45 C:\...\MirrorOpVirtualDisplay1_2.dll (copy), PE32+ 10->45 dropped 47 C:\...\MirrorOpVirtualDisplay1_0.dll (copy), PE32+ 10->47 dropped 49 C:\Windows\System32\drivers\...\SET2037.tmp, PE32+ 12->49 dropped 51 C:\...\MirrorOpVirtualDisplay1_2.dll (copy), PE32+ 12->51 dropped process4 file5 29 C:\Users\user\AppData\Local\...\SET1338.tmp, PE32+ 16->29 dropped 31 C:\Users\user\AppData\Local\...\SET11D0.tmp, PE32+ 16->31 dropped 33 C:\...\MirrorOpVirtualDisplay1_2.dll (copy), PE32+ 16->33 dropped 35 C:\...\MirrorOpVirtualDisplay1_0.dll (copy), PE32+ 16->35 dropped 25 taskkill.exe 1 19->25         started        process6 process7 27 conhost.exe 25->27         started       
No contacted IP infos