Windows Analysis Report
QuickTimeInstaller.exe

Overview

General Information

Sample name:	QuickTimeInstaller.exe
Analysis ID:	1428136
MD5:	1a762049bef7fc3a53014833757de2d2
SHA1:	e906b9b585a02c08270316fd21f8f5ce0081526a
SHA256:	56eff77b029b5f56c47d11fe58878627065dbeacbc3108d50d98a83420152c2b
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Adds / modifies Windows certificates

Checks for available system drives (often done to infect USB drives)

Drops PE files

Found dropped PE file which has not been started or loaded

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Stores large binary data to the registry

Uses 32bit PE files

Classification

Signatures

Uses 32bit PE files

Source: QuickTimeInstaller.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\QuickTimeInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\QuickTimeInstaller1914.log			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\QTInstallCode.log			Jump to behavior

Source: QuickTimeInstaller.exe

Static PE information: certificate valid

Source:	Binary string: c:\BWA\AppleSoftwareSupportWinPackageData-80.2\srcroot\CustomActions\AppleApplicationSupport_CustomActions.pdb<pbH source: AppleApplicationSupport.msi.0.dr
Source:	Binary string: d:\BWA\QuickTimeWinPackageData_Final-824\srcroot\setup\setup.pdb source: QuickTimeInstaller.exe
Source:	Binary string: h:\nt.obj.x86fre\base\wcp\tools\msmcustomaction\objfre\i386\msmcustomaction.pdb source: AppleApplicationSupport.msi.0.dr, QuickTime.msi.0.dr
Source:	Binary string: C:\delivery\Dev\wix35_public\build\ship\x86\firewall.pdb source: AppleApplicationSupport.msi.0.dr
Source:	Binary string: d:\BWA\QuickTimeWinPackageData-824\srcroot\QTMSISupport\QTMSISupport.pdb source: MSI297E.tmp.1.dr, MSI2AD9.tmp.1.dr, MSI29ED.tmp.1.dr
Source:	Binary string: c:\BWA\AppleSoftwareSupportWinPackageData-80.2\srcroot\CustomActions\AppleApplicationSupport_CustomActions.pdb source: AppleApplicationSupport.msi.0.dr
Source:	Binary string: d:\BWA\QuickTimeWinPackageData_Final-824\srcroot\setup\setup.pdb` source: QuickTimeInstaller.exe

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: QuickTime.msi.0.dr	String found in binary or memory: HTTP://WWW.MPEGLA.COM.
Source: QuickTimeInstaller.exe, 00000000.00000003.1767587370.0000000002C76000.00000004.00000020.00020000.00000000.sdmp, QuickTimeInstaller.exe, 00000000.00000003.1767605872.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, QuickTimeInstaller.exe, 00000000.00000003.1767648467.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, MSI297E.tmp.1.dr, AppleApplicationSupport.msi.0.dr, MSI2A4C.tmp.1.dr, MSI2AD9.tmp.1.dr, MSI29ED.tmp.1.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: QuickTimeInstaller.exe, 00000000.00000003.1767587370.0000000002C76000.00000004.00000020.00020000.00000000.sdmp, QuickTimeInstaller.exe, 00000000.00000003.1767605872.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, QuickTimeInstaller.exe, 00000000.00000003.1767648467.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, MSI297E.tmp.1.dr, AppleApplicationSupport.msi.0.dr, MSI2A4C.tmp.1.dr, MSI2AD9.tmp.1.dr, MSI29ED.tmp.1.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: MSI2A4C.tmp.1.dr	String found in binary or memory: http://quicktimepro.apple.com/y?country=%s&language=%s&productName=QuickTime%d&operatingSystem=Windo
Source: MSI297E.tmp.1.dr, MSI2A4C.tmp.1.dr, MSI2AD9.tmp.1.dr, MSI29ED.tmp.1.dr	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: MSI297E.tmp.1.dr, MSI2A4C.tmp.1.dr, MSI2AD9.tmp.1.dr, MSI29ED.tmp.1.dr	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: MSI297E.tmp.1.dr, MSI2A4C.tmp.1.dr, MSI2AD9.tmp.1.dr, MSI29ED.tmp.1.dr	String found in binary or memory: http://sf.symcd.com0&
Source: QuickTimeInstaller.exe, 00000000.00000003.1767587370.0000000002C76000.00000004.00000020.00020000.00000000.sdmp, QuickTimeInstaller.exe, 00000000.00000003.1767605872.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, QuickTimeInstaller.exe, 00000000.00000003.1767648467.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, MSI297E.tmp.1.dr, AppleApplicationSupport.msi.0.dr, MSI2A4C.tmp.1.dr, MSI2AD9.tmp.1.dr, MSI29ED.tmp.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: QuickTimeInstaller.exe, 00000000.00000003.1767587370.0000000002C76000.00000004.00000020.00020000.00000000.sdmp, QuickTimeInstaller.exe, 00000000.00000003.1767605872.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, QuickTimeInstaller.exe, 00000000.00000003.1767648467.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, MSI297E.tmp.1.dr, AppleApplicationSupport.msi.0.dr, MSI2A4C.tmp.1.dr, MSI2AD9.tmp.1.dr, MSI29ED.tmp.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: QuickTimeInstaller.exe, 00000000.00000003.1767587370.0000000002C76000.00000004.00000020.00020000.00000000.sdmp, QuickTimeInstaller.exe, 00000000.00000003.1767605872.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, QuickTimeInstaller.exe, 00000000.00000003.1767648467.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, MSI297E.tmp.1.dr, AppleApplicationSupport.msi.0.dr, MSI2A4C.tmp.1.dr, MSI2AD9.tmp.1.dr, MSI29ED.tmp.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com.cn/support/ARPHELPTELEPHONE(86)
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com.cnARPURLUPDATEINFOhttp://www.apple.com.cn/ProductNameApple
Source: QuickTimeInstaller.exe, 00000000.00000003.1767587370.0000000002C76000.00000004.00000020.00020000.00000000.sdmp, QuickTimeInstaller.exe, 00000000.00000003.1767605872.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, QuickTimeInstaller.exe, 00000000.00000003.1767648467.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, MSI297E.tmp.1.dr, AppleApplicationSupport.msi.0.dr, MSI2A4C.tmp.1.dr, MSI2AD9.tmp.1.dr, MSI29ED.tmp.1.dr	String found in binary or memory: http://www.apple.com/
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/br/support/ARPURLINFOABOUThttp://www.apple.com/brARPURLUPDATEINFOProductNameSup
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/de/support/ARPHELPTELEPHONE01805
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/deARPURLUPDATEINFOhttp://www.apple.com/de/
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/dk/support/ARPURLINFOABOUThttp://www.apple.com/dkARPURLUPDATEINFOProductNameApp
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/es/support/ARPURLINFOABOUThttp://www.apple.com/esARPURLUPDATEINFOhttp://www.app
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/fi/support/ARPURLINFOABOUThttp://www.apple.com/fiARPURLUPDATEINFOProductNameApp
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/fr/support/ARPHELPTELEPHONE0825
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/frARPURLUPDATEINFO
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/it/support/ARPURLINFOABOUThttp://www.apple.com/itARPURLUPDATEINFOProductNameSup
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/jp/support/ARPHELPTELEPHONE
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/jpARPURLUPDATEINFO
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/kr/support/ARPHELPTELEPHONE(82)
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/krARPURLUPDATEINFOhttp://www.apple.com/kr/ProductNameApple
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/nl/supportARPHELPTELEPHONE0900-7777703
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/nlARPURLUPDATEINFO
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/no/support/ARPHELPTELEPHONE815
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/noARPURLUPDATEINFOProductNameApple-programsupport
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/pl/support/ARPHELPTELEPHONE00-800-441875ARPURLINFOABOUThttp://www.apple.com/plA
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/pt/support/ARPURLINFOABOUThttp://www.apple.com/ptARPURLUPDATEINFOProductNameSup
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/ru/support/ARPHELPTELEPHONE
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/ruARPURLUPDATEINFOProductName
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/se/support/ARPHELPTELEPHONE0771
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/seARPURLUPDATEINFOhttp://www.apple.com/se/ProductNameApple-programst
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/tw/support/ARPHELPTELEPHONE(886)
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/twARPURLUPDATEINFOhttp://www.apple.com/tw/ProductNameApple
Source: QuickTime.msi.0.dr	String found in binary or memory: http://www.mpegla.com
Source: MSI297E.tmp.1.dr, MSI2A4C.tmp.1.dr, MSI2AD9.tmp.1.dr, MSI29ED.tmp.1.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: MSI297E.tmp.1.dr, MSI2A4C.tmp.1.dr, MSI2AD9.tmp.1.dr, MSI29ED.tmp.1.dr	String found in binary or memory: https://d.symcb.com/rpa0

PE file contains executable resources (Code or Archives)

Source: QuickTimeInstaller.exe

Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 41769914 bytes, 4 files, at 0x2c +A "QuickTime.msi" +A "AppleSoftwareUpdate.msi", number 1, 1594 datablocks, 0xf03 compression

Uses 32bit PE files

Source: QuickTimeInstaller.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean3.winEXE@6/12@0/0

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Users\user\AppData\LocalLow\Apple Computer\

Jump to behavior

Source: C:\Users\user\Desktop\QuickTimeInstaller.exe

Mutant created: \Sessions\1\BaseNamedObjects\QuickTimeInstaller

Source: C:\Users\user\Desktop\QuickTimeInstaller.exe

File created: C:\Users\user\AppData\Local\Temp\QuickTimeInstaller1914.log

Jump to behavior

Source: QuickTimeInstaller.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\msiexec.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\QuickTimeInstaller.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\QuickTimeInstaller.exe "C:\Users\user\Desktop\QuickTimeInstaller.exe"
Source: C:\Users\user\Desktop\QuickTimeInstaller.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\IXP705.TMP\QuickTime.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding AF7759F71D07749EDCEA18A4E40A5B0C C
Source: C:\Users\user\Desktop\QuickTimeInstaller.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\IXP705.TMP\QuickTime.msi"	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding AF7759F71D07749EDCEA18A4E40A5B0C C	Jump to behavior

Source: C:\Users\user\Desktop\QuickTimeInstaller.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QuickTimeInstaller.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: QuickTimeInstaller.exe

Static PE information: certificate valid

Source: QuickTimeInstaller.exe

Static file information: File size 41896256 > 1048576

Source: QuickTimeInstaller.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x27dc000

Source: QuickTimeInstaller.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: c:\BWA\AppleSoftwareSupportWinPackageData-80.2\srcroot\CustomActions\AppleApplicationSupport_CustomActions.pdb<pbH source: AppleApplicationSupport.msi.0.dr
Source:	Binary string: d:\BWA\QuickTimeWinPackageData_Final-824\srcroot\setup\setup.pdb source: QuickTimeInstaller.exe
Source:	Binary string: h:\nt.obj.x86fre\base\wcp\tools\msmcustomaction\objfre\i386\msmcustomaction.pdb source: AppleApplicationSupport.msi.0.dr, QuickTime.msi.0.dr
Source:	Binary string: C:\delivery\Dev\wix35_public\build\ship\x86\firewall.pdb source: AppleApplicationSupport.msi.0.dr
Source:	Binary string: d:\BWA\QuickTimeWinPackageData-824\srcroot\QTMSISupport\QTMSISupport.pdb source: MSI297E.tmp.1.dr, MSI2AD9.tmp.1.dr, MSI29ED.tmp.1.dr
Source:	Binary string: c:\BWA\AppleSoftwareSupportWinPackageData-80.2\srcroot\CustomActions\AppleApplicationSupport_CustomActions.pdb source: AppleApplicationSupport.msi.0.dr
Source:	Binary string: d:\BWA\QuickTimeWinPackageData_Final-824\srcroot\setup\setup.pdb` source: QuickTimeInstaller.exe

Drops PE files

Source: C:\Users\user\Desktop\QuickTimeInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\IXP705.TMP\QuickTimeInstallerAdmin.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI2A4C.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI29ED.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI2AD9.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI2B68.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI297E.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI2B28.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\QuickTimeInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\QuickTimeInstaller1914.log			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\QTInstallCode.log			Jump to behavior

Stores large binary data to the registry

Source: C:\Windows\SysWOW64\msiexec.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Blob

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\QuickTimeInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP705.TMP\QuickTimeInstallerAdmin.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2A4C.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI29ED.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2AD9.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2B68.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI297E.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2B28.tmp	Jump to dropped file

Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: QuickTimeInstaller.exe

Binary or memory string: qEMu?

Source: C:\Windows\SysWOW64\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\QuickTimeInstaller.exe

Code function: 0_2_0040FC52 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0040FC52

Adds / modifies Windows certificates

Source: C:\Windows\SysWOW64\msiexec.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Blob

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\IXP705.TMP\AppleApplicationSupport.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1256, Title: Installation Database, Subject: Apple, Author: Apple Inc., Keywords: Installer,MSI,Database, Comments: Apple 2.3.6, Create Time/Date: Sat Sep 14 04:45:10 2013, Name of Creating Application: Windows Installer XML (3.5.2519.0), Security: 4, Template: Intel;1033,1036,1031,1041,1043,1040,1028,2052,1034,1030,1035,1042,1044,1045,2070,1046,1049,1053,1025, Last Saved By: Intel;1033,1036,1031,1041,1043,1040,1028,2052,1034,1030,1035,1042,1044,1045,2070,1046,1049,1053,1025, Revision Number: {46F044A5-CE8B-4196-984E-5BD6525E361D}2.3.6;{46F044A5-CE8B-4196-984E-5BD6525E361D}2.3.6;{529316F8-601C-48AB-BAF6-D9E09938D8D3}, Number of Pages: 300, Number of Characters: 131135	1B720C225226D66085F7F08371F28909	9F2849702A83D8DA22C80C35D6786EB106CB219C	07BAD38B7F9972AA3F8228676B76200B7F675D6DDF75EB9C78EE6B3512EB94A8
C:\Users\user\AppData\Local\Temp\IXP705.TMP\AppleSoftwareUpdate.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Instalador da Actualizao de Software Apple, Author: Apple Inc., Keywords: Installer,MSI,Database, Comments: Apple Software Update 2.1.3.127, Create Time/Date: Tue Jun 21 23:23:46 2011, Name of Creating Application: Windows Installer XML (3.5.2519.0), Security: 4, Template: Intel;1033,1036,1031,1041,1043,1040,1028,2052,1034,1030,1035,1042,1044,1045,2070,1046,1049,1053, Last Saved By: Intel;1033,1036,1031,1041,1043,1040,1028,2052,1034,1030,1035,1042,1044,1045,2070,1046,1049,1053, Revision Number: {789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}2.1.3.127;{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}2.1.3.127;{58E373E7-C6D5-4691-885F-721D3B317918}, Number of Pages: 200, Number of Characters: 131135	A20C8EDDC732E30F7EC5A985843388ED	EF87E902739779785A4E3AAF20BE66E78062C199	CE570D6DBADF7983F7ACE0EBD033E6EF6E5347FCEEAEF512FAF1FC6775B895CE
C:\Users\user\AppData\Local\Temp\IXP705.TMP\QuickTime.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Instalador do QuickTime, Author: Apple Inc., Keywords: Installer,MSI,Database, Comments: QuickTime 7 - 7.79.80.95, Create Time/Date: Tue Dec 15 15:17:18 2015, Name of Creating Application: Windows Installer XML v2.0.3220.0 (candle/light), Security: 1, Template: Intel;1033,1036,1031,1041,1043,1040,1028,2052,1034,1030,1035,1042,1044,1045,2070,1046,1049,1053, Last Saved By: Intel;1033,1036,1031,1041,1043,1040,1028,2052,1034,1030,1035,1042,1044,1045,2070,1046,1049,1053, Revision Number: {FF59BD75-466A-4D5A-AD23-AAD87C5FD44C}7.79.80.95;{FF59BD75-466A-4D5A-AD23-AAD87C5FD44C}7.79.80.95;{AA4138E3-09D5-4256-9207-6DDB76D12955}, Number of Pages: 110, Number of Characters: 153485312	5376B2262B6E9773801520B6735C6DE9	FBDDB7E5D7F06FF4E5C65D57C01EF27C0BCA7CA5	03EA287B99DF2605A9D32B0FE9096D811B8C7ED1654F822FF76F7E172E0ED0B8
C:\Users\user\AppData\Local\Temp\IXP705.TMP\QuickTimeInstallerAdmin.exe	PE32 executable (GUI) Intel 80386, for MS Windows	621ED0E1D558CD598CC423B61BFA1F04	2A0FCA94934E9614AC6AE7C4E0F593F01F17DDAB	12F4F1D2003AB8DE46C7DD67E885A90C517A0A4596953FE796BF0C3754112043
C:\Users\user\AppData\Local\Temp\MSI297E.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	FC09FD1C7A4E16AB8A5E9106F1344BF2	8B07A5259B8F3A2ECB4758AB745AE3E8F7B9D652	F3569339784A54AC40E0BA00B86E225AC0804E8112956DEC6B1EA805D514F638
C:\Users\user\AppData\Local\Temp\MSI29ED.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	FC09FD1C7A4E16AB8A5E9106F1344BF2	8B07A5259B8F3A2ECB4758AB745AE3E8F7B9D652	F3569339784A54AC40E0BA00B86E225AC0804E8112956DEC6B1EA805D514F638
C:\Users\user\AppData\Local\Temp\MSI2A4C.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1F847C95ADF4F7FE0956D815CB17D907	0D3638822942AD4D9C0D492C5DF5FB33F36FA178	10DB6192B63C7260405597F9F8A1EB54A9F4F49B34A87B68BE04BB8BD815DA1D
C:\Users\user\AppData\Local\Temp\MSI2AD9.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	FC09FD1C7A4E16AB8A5E9106F1344BF2	8B07A5259B8F3A2ECB4758AB745AE3E8F7B9D652	F3569339784A54AC40E0BA00B86E225AC0804E8112956DEC6B1EA805D514F638
C:\Users\user\AppData\Local\Temp\MSI2B28.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	FC09FD1C7A4E16AB8A5E9106F1344BF2	8B07A5259B8F3A2ECB4758AB745AE3E8F7B9D652	F3569339784A54AC40E0BA00B86E225AC0804E8112956DEC6B1EA805D514F638
C:\Users\user\AppData\Local\Temp\MSI2B68.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	FC09FD1C7A4E16AB8A5E9106F1344BF2	8B07A5259B8F3A2ECB4758AB745AE3E8F7B9D652	F3569339784A54AC40E0BA00B86E225AC0804E8112956DEC6B1EA805D514F638
C:\Users\user\AppData\Local\Temp\QTInstallCode.log	ASCII text, with CRLF line terminators	B4A4028E173B77D84D9206B754525082	227B62C1E9F8F2A34A7B1B774118D64DAA568FF8	7E8404A1FADA93368536C90C77BB6543819620CDF03F48163DE434F347B8DC7D
C:\Users\user\AppData\Local\Temp\QuickTimeInstaller1914.log	ASCII text, with CRLF line terminators	2FB45F81402EE99291A3500A7CD7A980	981234E782E22533CF1B72728410239A9E029D42	1AF02971F9CFABD1B10F642A399AB696F22E32596C828B1FE65F7AA118DBABC0

Uses 32bit PE files

Source: QuickTimeInstaller.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\QuickTimeInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\QuickTimeInstaller1914.log			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\QTInstallCode.log			Jump to behavior

Source: QuickTimeInstaller.exe

Static PE information: certificate valid

Source:	Binary string: c:\BWA\AppleSoftwareSupportWinPackageData-80.2\srcroot\CustomActions\AppleApplicationSupport_CustomActions.pdb<pbH source: AppleApplicationSupport.msi.0.dr
Source:	Binary string: d:\BWA\QuickTimeWinPackageData_Final-824\srcroot\setup\setup.pdb source: QuickTimeInstaller.exe
Source:	Binary string: h:\nt.obj.x86fre\base\wcp\tools\msmcustomaction\objfre\i386\msmcustomaction.pdb source: AppleApplicationSupport.msi.0.dr, QuickTime.msi.0.dr
Source:	Binary string: C:\delivery\Dev\wix35_public\build\ship\x86\firewall.pdb source: AppleApplicationSupport.msi.0.dr
Source:	Binary string: d:\BWA\QuickTimeWinPackageData-824\srcroot\QTMSISupport\QTMSISupport.pdb source: MSI297E.tmp.1.dr, MSI2AD9.tmp.1.dr, MSI29ED.tmp.1.dr
Source:	Binary string: c:\BWA\AppleSoftwareSupportWinPackageData-80.2\srcroot\CustomActions\AppleApplicationSupport_CustomActions.pdb source: AppleApplicationSupport.msi.0.dr
Source:	Binary string: d:\BWA\QuickTimeWinPackageData_Final-824\srcroot\setup\setup.pdb` source: QuickTimeInstaller.exe

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: QuickTime.msi.0.dr	String found in binary or memory: HTTP://WWW.MPEGLA.COM.
Source: QuickTimeInstaller.exe, 00000000.00000003.1767587370.0000000002C76000.00000004.00000020.00020000.00000000.sdmp, QuickTimeInstaller.exe, 00000000.00000003.1767605872.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, QuickTimeInstaller.exe, 00000000.00000003.1767648467.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, MSI297E.tmp.1.dr, AppleApplicationSupport.msi.0.dr, MSI2A4C.tmp.1.dr, MSI2AD9.tmp.1.dr, MSI29ED.tmp.1.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: QuickTimeInstaller.exe, 00000000.00000003.1767587370.0000000002C76000.00000004.00000020.00020000.00000000.sdmp, QuickTimeInstaller.exe, 00000000.00000003.1767605872.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, QuickTimeInstaller.exe, 00000000.00000003.1767648467.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, MSI297E.tmp.1.dr, AppleApplicationSupport.msi.0.dr, MSI2A4C.tmp.1.dr, MSI2AD9.tmp.1.dr, MSI29ED.tmp.1.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: MSI2A4C.tmp.1.dr	String found in binary or memory: http://quicktimepro.apple.com/y?country=%s&language=%s&productName=QuickTime%d&operatingSystem=Windo
Source: MSI297E.tmp.1.dr, MSI2A4C.tmp.1.dr, MSI2AD9.tmp.1.dr, MSI29ED.tmp.1.dr	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: MSI297E.tmp.1.dr, MSI2A4C.tmp.1.dr, MSI2AD9.tmp.1.dr, MSI29ED.tmp.1.dr	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: MSI297E.tmp.1.dr, MSI2A4C.tmp.1.dr, MSI2AD9.tmp.1.dr, MSI29ED.tmp.1.dr	String found in binary or memory: http://sf.symcd.com0&
Source: QuickTimeInstaller.exe, 00000000.00000003.1767587370.0000000002C76000.00000004.00000020.00020000.00000000.sdmp, QuickTimeInstaller.exe, 00000000.00000003.1767605872.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, QuickTimeInstaller.exe, 00000000.00000003.1767648467.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, MSI297E.tmp.1.dr, AppleApplicationSupport.msi.0.dr, MSI2A4C.tmp.1.dr, MSI2AD9.tmp.1.dr, MSI29ED.tmp.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: QuickTimeInstaller.exe, 00000000.00000003.1767587370.0000000002C76000.00000004.00000020.00020000.00000000.sdmp, QuickTimeInstaller.exe, 00000000.00000003.1767605872.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, QuickTimeInstaller.exe, 00000000.00000003.1767648467.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, MSI297E.tmp.1.dr, AppleApplicationSupport.msi.0.dr, MSI2A4C.tmp.1.dr, MSI2AD9.tmp.1.dr, MSI29ED.tmp.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: QuickTimeInstaller.exe, 00000000.00000003.1767587370.0000000002C76000.00000004.00000020.00020000.00000000.sdmp, QuickTimeInstaller.exe, 00000000.00000003.1767605872.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, QuickTimeInstaller.exe, 00000000.00000003.1767648467.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, MSI297E.tmp.1.dr, AppleApplicationSupport.msi.0.dr, MSI2A4C.tmp.1.dr, MSI2AD9.tmp.1.dr, MSI29ED.tmp.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com.cn/support/ARPHELPTELEPHONE(86)
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com.cnARPURLUPDATEINFOhttp://www.apple.com.cn/ProductNameApple
Source: QuickTimeInstaller.exe, 00000000.00000003.1767587370.0000000002C76000.00000004.00000020.00020000.00000000.sdmp, QuickTimeInstaller.exe, 00000000.00000003.1767605872.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, QuickTimeInstaller.exe, 00000000.00000003.1767648467.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, MSI297E.tmp.1.dr, AppleApplicationSupport.msi.0.dr, MSI2A4C.tmp.1.dr, MSI2AD9.tmp.1.dr, MSI29ED.tmp.1.dr	String found in binary or memory: http://www.apple.com/
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/br/support/ARPURLINFOABOUThttp://www.apple.com/brARPURLUPDATEINFOProductNameSup
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/de/support/ARPHELPTELEPHONE01805
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/deARPURLUPDATEINFOhttp://www.apple.com/de/
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/dk/support/ARPURLINFOABOUThttp://www.apple.com/dkARPURLUPDATEINFOProductNameApp
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/es/support/ARPURLINFOABOUThttp://www.apple.com/esARPURLUPDATEINFOhttp://www.app
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/fi/support/ARPURLINFOABOUThttp://www.apple.com/fiARPURLUPDATEINFOProductNameApp
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/fr/support/ARPHELPTELEPHONE0825
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/frARPURLUPDATEINFO
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/it/support/ARPURLINFOABOUThttp://www.apple.com/itARPURLUPDATEINFOProductNameSup
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/jp/support/ARPHELPTELEPHONE
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/jpARPURLUPDATEINFO
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/kr/support/ARPHELPTELEPHONE(82)
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/krARPURLUPDATEINFOhttp://www.apple.com/kr/ProductNameApple
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/nl/supportARPHELPTELEPHONE0900-7777703
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/nlARPURLUPDATEINFO
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/no/support/ARPHELPTELEPHONE815
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/noARPURLUPDATEINFOProductNameApple-programsupport
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/pl/support/ARPHELPTELEPHONE00-800-441875ARPURLINFOABOUThttp://www.apple.com/plA
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/pt/support/ARPURLINFOABOUThttp://www.apple.com/ptARPURLUPDATEINFOProductNameSup
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/ru/support/ARPHELPTELEPHONE
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/ruARPURLUPDATEINFOProductName
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/se/support/ARPHELPTELEPHONE0771
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/seARPURLUPDATEINFOhttp://www.apple.com/se/ProductNameApple-programst
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/tw/support/ARPHELPTELEPHONE(886)
Source: AppleApplicationSupport.msi.0.dr	String found in binary or memory: http://www.apple.com/twARPURLUPDATEINFOhttp://www.apple.com/tw/ProductNameApple
Source: QuickTime.msi.0.dr	String found in binary or memory: http://www.mpegla.com
Source: MSI297E.tmp.1.dr, MSI2A4C.tmp.1.dr, MSI2AD9.tmp.1.dr, MSI29ED.tmp.1.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: MSI297E.tmp.1.dr, MSI2A4C.tmp.1.dr, MSI2AD9.tmp.1.dr, MSI29ED.tmp.1.dr	String found in binary or memory: https://d.symcb.com/rpa0

PE file contains executable resources (Code or Archives)

Source: QuickTimeInstaller.exe

Uses 32bit PE files

Source: QuickTimeInstaller.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean3.winEXE@6/12@0/0

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Users\user\AppData\LocalLow\Apple Computer\

Jump to behavior

Source: C:\Users\user\Desktop\QuickTimeInstaller.exe

Mutant created: \Sessions\1\BaseNamedObjects\QuickTimeInstaller

Source: C:\Users\user\Desktop\QuickTimeInstaller.exe

File created: C:\Users\user\AppData\Local\Temp\QuickTimeInstaller1914.log

Jump to behavior

Source: QuickTimeInstaller.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\msiexec.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\QuickTimeInstaller.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\QuickTimeInstaller.exe "C:\Users\user\Desktop\QuickTimeInstaller.exe"
Source: C:\Users\user\Desktop\QuickTimeInstaller.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\IXP705.TMP\QuickTime.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding AF7759F71D07749EDCEA18A4E40A5B0C C
Source: C:\Users\user\Desktop\QuickTimeInstaller.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\IXP705.TMP\QuickTime.msi"	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding AF7759F71D07749EDCEA18A4E40A5B0C C	Jump to behavior

Source: C:\Users\user\Desktop\QuickTimeInstaller.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QuickTimeInstaller.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: QuickTimeInstaller.exe

Static PE information: certificate valid

Source: QuickTimeInstaller.exe

Static file information: File size 41896256 > 1048576

Source: QuickTimeInstaller.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x27dc000

Source: QuickTimeInstaller.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: c:\BWA\AppleSoftwareSupportWinPackageData-80.2\srcroot\CustomActions\AppleApplicationSupport_CustomActions.pdb<pbH source: AppleApplicationSupport.msi.0.dr
Source:	Binary string: d:\BWA\QuickTimeWinPackageData_Final-824\srcroot\setup\setup.pdb source: QuickTimeInstaller.exe
Source:	Binary string: h:\nt.obj.x86fre\base\wcp\tools\msmcustomaction\objfre\i386\msmcustomaction.pdb source: AppleApplicationSupport.msi.0.dr, QuickTime.msi.0.dr
Source:	Binary string: C:\delivery\Dev\wix35_public\build\ship\x86\firewall.pdb source: AppleApplicationSupport.msi.0.dr
Source:	Binary string: d:\BWA\QuickTimeWinPackageData-824\srcroot\QTMSISupport\QTMSISupport.pdb source: MSI297E.tmp.1.dr, MSI2AD9.tmp.1.dr, MSI29ED.tmp.1.dr
Source:	Binary string: c:\BWA\AppleSoftwareSupportWinPackageData-80.2\srcroot\CustomActions\AppleApplicationSupport_CustomActions.pdb source: AppleApplicationSupport.msi.0.dr
Source:	Binary string: d:\BWA\QuickTimeWinPackageData_Final-824\srcroot\setup\setup.pdb` source: QuickTimeInstaller.exe

Drops PE files

Source: C:\Users\user\Desktop\QuickTimeInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\IXP705.TMP\QuickTimeInstallerAdmin.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI2A4C.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI29ED.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI2AD9.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI2B68.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI297E.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI2B28.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\QuickTimeInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\QuickTimeInstaller1914.log			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\QTInstallCode.log			Jump to behavior

Stores large binary data to the registry

Source: C:\Windows\SysWOW64\msiexec.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Blob

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\QuickTimeInstaller.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP705.TMP\QuickTimeInstallerAdmin.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2A4C.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI29ED.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2AD9.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2B68.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI297E.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2B28.tmp	Jump to dropped file

Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: QuickTimeInstaller.exe

Binary or memory string: qEMu?

Source: C:\Windows\SysWOW64\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\QuickTimeInstaller.exe

Code function: 0_2_0040FC52 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0040FC52

Adds / modifies Windows certificates

Source: C:\Windows\SysWOW64\msiexec.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Blob

Jump to behavior

ID:	1428136
Product:	CloudBasic
Start time:	15:43:58
Start date:	18.04.2024
Sample:	QuickTimeInstaller.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	1a762049bef7fc3a53014833757de2d2
SHA1:	e906b9b585a02c08270316fd21f8f5ce0081526a
SHA256:	56eff77b029b5f56c47d11fe58878627065dbeacbc3108d50d98a83420152c2b
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
QuickTimeInstaller.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report QuickTimeInstaller.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
QuickTimeInstaller.exe