Windows Analysis Report
sc_setup_x64.exe

Overview

General Information

Sample name:	sc_setup_x64.exe
Analysis ID:	1428621
MD5:	615cfd6d3775cb9135777d3a384d384e
SHA1:	52e7041945bdb2fa9a700af968a05a4795aa3605
SHA256:	29553153308344c8f4daae0fc16a06a988ce005ed46dd09aa46921372b3b4ffe
Infos:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

One or more processes crash

Sample file is different than original file name gathered from version info

Classification

Signatures

Source: sc_setup_x64.exe

Static PE information: certificate valid

Source: sc_setup_x64.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: sc_setup_x64.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: sc_setup_x64.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: sc_setup_x64.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: sc_setup_x64.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: sc_setup_x64.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: sc_setup_x64.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: sc_setup_x64.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: sc_setup_x64.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: sc_setup_x64.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: sc_setup_x64.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: sc_setup_x64.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: sc_setup_x64.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: sc_setup_x64.exe	String found in binary or memory: http://www.digicert.com/CPS0

Detected potential crypto function

Source: C:\Users\user\Desktop\sc_setup_x64.exe	Code function: 0_2_000000014001C010	0_2_000000014001C010
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Code function: 0_2_000000014001C226	0_2_000000014001C226
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Code function: 0_2_0000000140010290	0_2_0000000140010290
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Code function: 0_2_00000001400112E0	0_2_00000001400112E0
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Code function: 0_2_000000014001C668	0_2_000000014001C668
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Code function: 0_2_0000000140017880	0_2_0000000140017880
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Code function: 0_2_000000014001C8E8	0_2_000000014001C8E8
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Code function: 0_2_000000014000CC20	0_2_000000014000CC20
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Code function: 0_2_000000014000DDA0	0_2_000000014000DDA0
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Code function: 0_2_0000000140006DEC	0_2_0000000140006DEC
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Code function: 0_2_0000000140019E40	0_2_0000000140019E40
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Code function: 0_2_0000000140007F70	0_2_0000000140007F70

One or more processes crash

Source: C:\Users\user\Desktop\sc_setup_x64.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7048 -s 464

Sample file is different than original file name gathered from version info

Source: sc_setup_x64.exe, 00000000.00000002.2127048666.0000000140047000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesc_setup.EXEJ vs sc_setup_x64.exe
Source: sc_setup_x64.exe	Binary or memory string: OriginalFilenamesc_setup.EXEJ vs sc_setup_x64.exe

Source: classification engine

Classification label: clean5.winEXE@2/5@0/0

Source: C:\Users\user\Desktop\sc_setup_x64.exe

Code function: 0_2_0000000140006230 #1641,CreateFileW,#316,#4656,#1641,MessageBoxW,#1034,_ftime64,_localtime64,#316,#1641,#306,#1641,#306,#4658,#1034,#1034,WriteFile,memset,GetStdHandle,#280,#4947,#1641,CreateProcessW,GetLastError,FormatMessageW,#286,LocalFree,#316,#4656,#1641,MessageBoxW,CloseHandle,#1034,#1034,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,CloseHandle,#1034,#1034,

0_2_0000000140006230

Source: C:\Users\user\Desktop\sc_setup_x64.exe

Code function: 0_2_0000000140006050 CoCreateInstance,

0_2_0000000140006050

Source: C:\Users\user\Desktop\sc_setup_x64.exe

Code function: 0_2_0000000140015BA0 #10163,#2212,FindResourceW,#2212,LoadResource,LockResource,#286,#4656,#1034,#14128,

0_2_0000000140015BA0

Source: C:\Windows\System32\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7048

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\3d0d1cc2-52ad-4333-b40e-36035397c7e4

Jump to behavior

Source: sc_setup_x64.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\sc_setup_x64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\sc_setup_x64.exe "C:\Users\user\Desktop\sc_setup_x64.exe"
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7048 -s 464

Source: C:\Users\user\Desktop\sc_setup_x64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Section loaded: mfc140u.dll	Jump to behavior
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Section loaded: sc_kernel_basic_x64.dll	Jump to behavior

Source: sc_setup_x64.exe

Static PE information: certificate valid

Source: sc_setup_x64.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: sc_setup_x64.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\sc_setup_x64.exe

Code function: 0_2_0000000140011E10 #286,#1034,#286,#1034,RegisterWindowMessageW,InitCommonControlsEx,FindWindowW,MessageBoxW,#13199,FindWindowW,#4726,CoInitializeEx,#2270,free,_wcsdup,#2212,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,#13545,#11709,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#290,#1034,#316,#316,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#1504,#150

0_2_0000000140011E10

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\sc_setup_x64.exe

0_2_0000000140011E10

Source: C:\Users\user\Desktop\sc_setup_x64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\sc_setup_x64.exe

API coverage: 1.0 %

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\sc_setup_x64.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\sc_setup_x64.exe

Code function: 0_2_000000014001F7DC GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_000000014001F7DC

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\sc_setup_x64.exe

Code function: 0_2_000000014001F7DC GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_000000014001F7DC

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\sc_setup_x64.exe

0_2_0000000140011E10

Source: C:\Users\user\Desktop\sc_setup_x64.exe	Code function: 0_2_000000014001EA6C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000000014001EA6C
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Code function: 0_2_000000014001EC44 SetUnhandledExceptionFilter,	0_2_000000014001EC44
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Code function: 0_2_000000014001DFA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_000000014001DFA0

Source: C:\Users\user\Desktop\sc_setup_x64.exe

Code function: 0_2_0000000140011130 AllocateAndInitializeSid,GetNamedSecurityInfoW,SetEntriesInAclW,SetNamedSecurityInfoW,LocalFree,LocalFree,FreeSid,

0_2_0000000140011130

Source: C:\Users\user\Desktop\sc_setup_x64.exe

Code function: 0_2_000000014001E974 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_000000014001E974

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_sc_setup_x64.exe_10f9a047a950d8fb8b3fb7b54dcc2af97e45377f_701d5e3e_a0c07dd9-6508-46a2-847c-554e04d89f5c\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	1A02710A0322A2E54AB1DCB8199AA066	930C435F8C112947541C8FD6836C329C8DF697E7	00571C5FEAE59DA54B035A4C01C970E95D8680661038E57E7CD489566702148F
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC256.tmp.dmp	Mini DuMP crash report, 14 streams, Fri Apr 19 08:32:23 2024, 0x1205a4 type	544694CA700B74A8EB3D180FD805CB04	41EE5AADE36DF482F3341D837799F71D34E571C5	B09E1601DA7E651F12797A141D3CF9A1440823150A8BE6691E0E9206C67FA0F1
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC2D4.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	2B9B0665FEAC1F6041FAB0E5D78E4205	1873D3B7658930DF1E1D94426464F7D87389D4A1	9741F956479DD08E09C6970996B5169AFC00DDC1CF1B4A5B33302F8BCCCD6337
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC304.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	28A2AEF5ADA43C515FE5F7632A77B216	B15CA024984174A40F5A0045CC6779612119BFF3	DF7AB75F4501F0B9E48DBAF267F5B96104031FFA708600B2724D15E6BB696DEB
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	01F8B94D5E0F740FF5AEAEEFDB644F7C	59B3A5E27D97D5D4F2438D73595A819323C382DD	745E2A517918E95BBCE8D38E17FD8769ACC6D8EA794950F00523B9D30BA9A950

Source: sc_setup_x64.exe

Static PE information: certificate valid

Source: sc_setup_x64.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: sc_setup_x64.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: sc_setup_x64.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: sc_setup_x64.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: sc_setup_x64.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: sc_setup_x64.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: sc_setup_x64.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: sc_setup_x64.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: sc_setup_x64.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: sc_setup_x64.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: sc_setup_x64.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: sc_setup_x64.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: sc_setup_x64.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: sc_setup_x64.exe	String found in binary or memory: http://www.digicert.com/CPS0

Detected potential crypto function

Source: C:\Users\user\Desktop\sc_setup_x64.exe	Code function: 0_2_000000014001C010	0_2_000000014001C010
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Code function: 0_2_000000014001C226	0_2_000000014001C226
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Code function: 0_2_0000000140010290	0_2_0000000140010290
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Code function: 0_2_00000001400112E0	0_2_00000001400112E0
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Code function: 0_2_000000014001C668	0_2_000000014001C668
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Code function: 0_2_0000000140017880	0_2_0000000140017880
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Code function: 0_2_000000014001C8E8	0_2_000000014001C8E8
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Code function: 0_2_000000014000CC20	0_2_000000014000CC20
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Code function: 0_2_000000014000DDA0	0_2_000000014000DDA0
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Code function: 0_2_0000000140006DEC	0_2_0000000140006DEC
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Code function: 0_2_0000000140019E40	0_2_0000000140019E40
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Code function: 0_2_0000000140007F70	0_2_0000000140007F70

One or more processes crash

Source: C:\Users\user\Desktop\sc_setup_x64.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7048 -s 464

Sample file is different than original file name gathered from version info

Source: sc_setup_x64.exe, 00000000.00000002.2127048666.0000000140047000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesc_setup.EXEJ vs sc_setup_x64.exe
Source: sc_setup_x64.exe	Binary or memory string: OriginalFilenamesc_setup.EXEJ vs sc_setup_x64.exe

Source: classification engine

Classification label: clean5.winEXE@2/5@0/0

Source: C:\Users\user\Desktop\sc_setup_x64.exe

0_2_0000000140006230

Source: C:\Users\user\Desktop\sc_setup_x64.exe

Code function: 0_2_0000000140006050 CoCreateInstance,

0_2_0000000140006050

Source: C:\Users\user\Desktop\sc_setup_x64.exe

Code function: 0_2_0000000140015BA0 #10163,#2212,FindResourceW,#2212,LoadResource,LockResource,#286,#4656,#1034,#14128,

0_2_0000000140015BA0

Source: C:\Windows\System32\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7048

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\3d0d1cc2-52ad-4333-b40e-36035397c7e4

Jump to behavior

Source: sc_setup_x64.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\sc_setup_x64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\sc_setup_x64.exe "C:\Users\user\Desktop\sc_setup_x64.exe"
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7048 -s 464

Source: C:\Users\user\Desktop\sc_setup_x64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Section loaded: mfc140u.dll	Jump to behavior
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Section loaded: sc_kernel_basic_x64.dll	Jump to behavior

Source: sc_setup_x64.exe

Static PE information: certificate valid

Source: sc_setup_x64.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: sc_setup_x64.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\sc_setup_x64.exe

0_2_0000000140011E10

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\sc_setup_x64.exe

0_2_0000000140011E10

Source: C:\Users\user\Desktop\sc_setup_x64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\sc_setup_x64.exe

API coverage: 1.0 %

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\sc_setup_x64.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\sc_setup_x64.exe

Code function: 0_2_000000014001F7DC GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_000000014001F7DC

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\sc_setup_x64.exe

Code function: 0_2_000000014001F7DC GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_000000014001F7DC

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\sc_setup_x64.exe

0_2_0000000140011E10

Source: C:\Users\user\Desktop\sc_setup_x64.exe	Code function: 0_2_000000014001EA6C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000000014001EA6C
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Code function: 0_2_000000014001EC44 SetUnhandledExceptionFilter,	0_2_000000014001EC44
Source: C:\Users\user\Desktop\sc_setup_x64.exe	Code function: 0_2_000000014001DFA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_000000014001DFA0

Source: C:\Users\user\Desktop\sc_setup_x64.exe

Code function: 0_2_0000000140011130 AllocateAndInitializeSid,GetNamedSecurityInfoW,SetEntriesInAclW,SetNamedSecurityInfoW,LocalFree,LocalFree,FreeSid,

0_2_0000000140011130

Source: C:\Users\user\Desktop\sc_setup_x64.exe

Code function: 0_2_000000014001E974 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_000000014001E974

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

ID:	1428621
Product:	CloudBasic
Start time:	10:31:36
Start date:	19.04.2024
Sample:	sc_setup_x64.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	615cfd6d3775cb9135777d3a384d384e
SHA1:	52e7041945bdb2fa9a700af968a05a4795aa3605
SHA256:	29553153308344c8f4daae0fc16a06a988ce005ed46dd09aa46921372b3b4ffe
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Windows Analysis Report
sc_setup_x64.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report sc_setup_x64.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
sc_setup_x64.exe