Windows Analysis Report
AGLCStructuredSettlementsInstaller.exe

Overview

General Information

Sample name: AGLCStructuredSettlementsInstaller.exe
Analysis ID: 1428780
MD5: a53cb926ff7c4af575102bc08594327f
SHA1: 03d6a95e1eec98cf7eaebe508166700748b153ea
SHA256: f7139b8276726858e5f3e05939e012506beec45c93a062ea6469bfb76bd1958a
Infos:

Detection

Score: 25
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Yara detected Generic Downloader
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E452B0 CryptDestroyKey, 0_2_00E452B0
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E454D4 CryptAcquireContextW,CryptReleaseContext,CryptDestroyHash, 0_2_00E454D4
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E45457 CoCreateGuid,StringFromGUID2,CryptAcquireContextW,CryptCreateHash, 0_2_00E45457
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: 1_2_003A52B0 CryptDestroyKey, 1_2_003A52B0
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: 1_2_003A5457 CoCreateGuid,StringFromGUID2,CryptAcquireContextW,CryptCreateHash, 1_2_003A5457
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: 1_2_003A54D4 CryptAcquireContextW,CryptReleaseContext,CryptDestroyHash, 1_2_003A54D4
Uses 32bit PE files
Source: AGLCStructuredSettlementsInstaller.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\EULA.rtf Jump to behavior
Source: AGLCStructuredSettlementsInstaller.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: c:\Projects\12.2\BuildLabel\Temp\NetStudio.v12.2.2005\Win\DevExpress.Office\DevExpress.Office.Core\obj\Release\DevExpress.Office.v12.2.Core.pdb source: DevExpress.Office.v12.2.Core.dll.3.dr
Source: Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\setupPreReq.pdb source: AGLCStructuredSettlementsInstaller.exe
Source: Binary string: C:\CodeBases\isdev\Src\BackEnd\Locked\IsIcoRes\isicores.pdb source: Structured Settlements.msi0.1.dr
Source: Binary string: E:\jh\a1\211fd6b4\workspace\feature_td_merge12f3a54d\AGLCSS.ClientCase\obj\Release\AGLCSS.ClientCaseInfo.pdb source: AGLCSS.ClientCaseInfo.dll.3.dr
Source: Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\SetAllUsers.pdb source: Structured Settlements.msi0.1.dr
Source: Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\setupPreReq.pdbH source: AGLCStructuredSettlementsInstaller.exe
Source: Binary string: C:\CodeBases\isdev\redist\language independent\i386\ISRegSvr.pdb source: Structured Settlements.msi0.1.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E2C759 __EH_prolog3_GS,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,DeleteFileW,FindClose, 0_2_00E2C759
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E154A5 __EH_prolog3_GS,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,FindClose, 0_2_00E154A5
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: 1_2_003754A5 __EH_prolog3_GS,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,FindClose, 1_2_003754A5
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: 1_2_0038C759 __EH_prolog3_GS,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,DeleteFileW,FindClose, 1_2_0038C759

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\TallComponents.PDF.Controls.WinForms.dll, type: DROPPED
Source: Structured Settlements.msi0.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Structured Settlements.msi0.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Structured Settlements.msi0.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Structured Settlements.msi0.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: DevExpress.Office.v12.2.Core.dll.3.dr String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: DevExpress.Office.v12.2.Core.dll.3.dr String found in binary or memory: http://certificates.godaddy.com/repository/gd_intermediate.crt0
Source: DevExpress.Office.v12.2.Core.dll.3.dr String found in binary or memory: http://certificates.godaddy.com/repository/gdroot.crl0K
Source: DevExpress.Office.v12.2.Core.dll.3.dr String found in binary or memory: http://certificates.godaddy.com/repository0
Source: DevExpress.Office.v12.2.Core.dll.3.dr String found in binary or memory: http://certificates.godaddy.com/repository100.
Source: DevExpress.Office.v12.2.Core.dll.3.dr String found in binary or memory: http://crl.godaddy.com/gds5-16.crl0S
Source: Structured Settlements.msi0.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Structured Settlements.msi0.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Structured Settlements.msi0.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Structured Settlements.msi0.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Structured Settlements.msi0.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Structured Settlements.msi0.1.dr String found in binary or memory: http://ocsp.digicert.com0
Source: Structured Settlements.msi0.1.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: Structured Settlements.msi0.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: Structured Settlements.msi0.1.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: DevExpress.Office.v12.2.Core.dll.3.dr String found in binary or memory: http://ocsp.godaddy.com/0J
Source: DevExpress.Office.v12.2.Core.dll.3.dr String found in binary or memory: http://ocsp.godaddy.com0F
Source: AGLCStructuredSettlementsInstaller.exe, 00000001.00000003.1791232934.0000000004B20000.00000004.00000020.00020000.00000000.sdmp, AGLCStructuredSettlementsInstaller.exe, 00000001.00000003.2229552461.0000000004AF3000.00000004.00000020.00020000.00000000.sdmp, AGLCStructuredSettlementsInstaller.exe, 00000001.00000003.1790956570.0000000004AF6000.00000004.00000020.00020000.00000000.sdmp, AGLCStructuredSettlementsInstaller.exe, 00000001.00000003.1791410497.0000000004B1F000.00000004.00000020.00020000.00000000.sdmp, AGLCStructuredSettlementsInstaller.exe, 00000001.00000003.2229380795.0000000004AF2000.00000004.00000020.00020000.00000000.sdmp, AGLCStructuredSettlementsInstaller.exe, 00000001.00000003.2229188521.0000000004ADF000.00000004.00000020.00020000.00000000.sdmp, AGLCStructuredSettlementsInstaller.exe, 00000001.00000003.1792335082.0000000004B25000.00000004.00000020.00020000.00000000.sdmp, AGLCStructuredSettlementsInstaller.exe, 00000001.00000003.1791559145.0000000004AF9000.00000004.00000020.00020000.00000000.sdmp, AGLCStructuredSettlementsInstaller.exe, 00000001.00000003.1790835496.0000000004B18000.00000004.00000020.00020000.00000000.sdmp, AGLCStructuredSettlementsInstaller.exe, 00000001.00000003.1794284895.0000000004B23000.00000004.00000020.00020000.00000000.sdmp, AGLCStructuredSettlementsInstaller.exe, 00000001.00000003.1792020776.0000000004B26000.00000004.00000020.00020000.00000000.sdmp, AGLCStructuredSettlementsInstaller.exe, 00000001.00000003.1791479808.0000000004B23000.00000004.00000020.00020000.00000000.sdmp, AGLCStructuredSettlementsInstaller.exe, 00000001.00000003.1790472353.0000000004AF9000.00000004.00000020.00020000.00000000.sdmp, AGLCStructuredSettlementsInstaller.exe, 00000001.00000003.1790662848.0000000004AFA000.00000004.00000020.00020000.00000000.sdmp, AGLCStructuredSettlementsInstaller.exe, 00000001.00000003.1790296600.0000000004B25000.00000004.00000020.00020000.00000000.sdmp, AGLCStructuredSettlementsInstaller.exe, 00000001.00000003.1791166073.0000000004B16000.00000004.00000020.00020000.00000000.sdmp, AGLCStructuredSettlementsInstaller.exe, 00000001.00000003.1790397779.0000000004B1F000.00000004.00000020.00020000.00000000.sdmp, AGLCStructuredSettlementsInstaller.exe, 00000001.00000003.1792770948.0000000004B23000.00000004.00000020.00020000.00000000.sdmp, AGLCStructuredSettlementsInstaller.exe, 00000001.00000003.1790883439.0000000004B23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://saturn.installshield.com/is/prerequisites/microsoft
Source: AGLCStructuredSettlementsInstaller.exe, 00000001.00000003.1843957737.0000000004B6C000.00000004.00000020.00020000.00000000.sdmp, AGLCStructuredSettlementsInstaller.exe, 00000001.00000003.1822054656.0000000004B67000.00000004.00000020.00020000.00000000.sdmp, AGLCStructuredSettlementsInstaller.exe, 00000001.00000003.1843819004.0000000004B40000.00000004.00000020.00020000.00000000.sdmp, AGLCStructuredSettlementsInstaller.exe, 00000001.00000003.1843977341.0000000004B6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.CorebridgeFinancial.com
Source: AGLC107709-FL-2018.pdf.3.dr String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: Aspose.PDF.xml.3.dr String found in binary or memory: http://www.aiim.org/pdfa/ns/field#
Source: AGLC107709-FL-2018.pdf.3.dr, Aspose.PDF.xml.3.dr String found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: AGLC107709-FL-2018.pdf.3.dr String found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: Aspose.PDF.xml.3.dr String found in binary or memory: http://www.aiim.org/pdfa/ns/type#
Source: AGLC107709-FL-2018.pdf.3.dr String found in binary or memory: http://www.aiim.org/pdfua/ns/id/
Source: Aspose.PDF.xml.3.dr String found in binary or memory: http://www.aspose.com
Source: DevExpress.Office.v12.2.Core.dll.3.dr String found in binary or memory: http://www.devexpress.com
Source: Structured Settlements.msi0.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: Structured Settlements.msi0.1.dr String found in binary or memory: http://www.flexerasoftware.com0
Source: AGLCStructuredSettlementsInstaller.exe String found in binary or memory: http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d
Source: Aspose.PDF.xml.3.dr String found in binary or memory: https://developer.apple.com/fonts/TrueType-Reference-Manual/RM06/Chap6cmap.html.
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E3F2C0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx, 0_2_00E3F2C0
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: 1_2_0039F2C0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx, 1_2_0039F2C0
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\4889b3.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{7A470A9C-C6D5-411A-9E66-42C3D1BCC10D} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI9462.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{7A470A9C-C6D5-411A-9E66-42C3D1BCC10D} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{7A470A9C-C6D5-411A-9E66-42C3D1BCC10D}\ARPPRODUCTICON.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{7A470A9C-C6D5-411A-9E66-42C3D1BCC10D}\_1B086178_A74C_45CD_B17B_C24F85AAF899 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{7A470A9C-C6D5-411A-9E66-42C3D1BCC10D}\ApplicationShortcu_5528DECE9BBB4B31B1CE01660AA713F5.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{7A470A9C-C6D5-411A-9E66-42C3D1BCC10D}\DesktopShortcut_9CC916EFDE5E4C0BBC65AF72911A3204.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\4889b5.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\4889b5.msi Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\4889b5.msi Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E6877C 0_2_00E6877C
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E4497A 0_2_00E4497A
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00DF6AC1 0_2_00DF6AC1
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E54B9E 0_2_00E54B9E
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E5B100 0_2_00E5B100
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00DED230 0_2_00DED230
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E11AD1 0_2_00E11AD1
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00DE9BE0 0_2_00DE9BE0
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E29B59 0_2_00E29B59
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00DEDD70 0_2_00DEDD70
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: 1_2_00371AD1 1_2_00371AD1
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: 1_2_00389B59 1_2_00389B59
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: 1_2_003C877C 1_2_003C877C
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: 1_2_003A497A 1_2_003A497A
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: 1_2_00356AC1 1_2_00356AC1
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: 1_2_003B4B9E 1_2_003B4B9E
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: 1_2_003BB100 1_2_003BB100
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: 1_2_0034D230 1_2_0034D230
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: 1_2_00349BE0 1_2_00349BE0
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: 1_2_0034DD70 1_2_0034DD70
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: String function: 0035070A appears 45 times
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: String function: 00399B85 appears 348 times
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: String function: 00347AA0 appears 313 times
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: String function: 0035099E appears 65 times
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: String function: 00399B52 appears 506 times
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: String function: 00346B40 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: String function: 00355EAE appears 79 times
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: String function: 0035678B appears 34 times
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: String function: 00DF678B appears 34 times
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: String function: 00DF070A appears 43 times
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: String function: 00DE6B40 appears 52 times
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: String function: 00E39B52 appears 505 times
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: String function: 00DE7AA0 appears 312 times
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: String function: 00DF099E appears 65 times
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: String function: 00DF5EAE appears 80 times
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: String function: 00E39B85 appears 348 times
Uses 32bit PE files
Source: AGLCStructuredSettlementsInstaller.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engine Classification label: sus25.troj.winEXE@9/533@0/0
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E3F2C0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx, 0_2_00E3F2C0
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: 1_2_0039F2C0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx, 1_2_0039F2C0
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E37CF7 lstrcpyW,GetDiskFreeSpaceExW, 0_2_00E37CF7
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E1A150 CoCreateInstance, 0_2_00E1A150
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E3E97C __EH_prolog3_GS,LoadResource, 0_2_00E3E97C
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe File created: C:\Users\user\AppData\Local\Downloaded Installations Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2664:120:WilError_03
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe File created: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E} Jump to behavior
Source: AGLCStructuredSettlementsInstaller.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe File read: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\_ISMSIDEL.INI Jump to behavior
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe File read: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe "C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe"
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Process created: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe /q"C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}" /IS_temp
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\user\AppData\Local\Downloaded Installations\{2DAE1BFB-6F68-4AD8-A074-1F290D098EE1}\Structured Settlements.msi" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="AGLCStructuredSettlementsInstaller.exe"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Process created: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe /q"C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}" /IS_temp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\user\AppData\Local\Downloaded Installations\{2DAE1BFB-6F68-4AD8-A074-1F290D098EE1}\Structured Settlements.msi" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="AGLCStructuredSettlementsInstaller.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}" Jump to behavior
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe File written: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\_ISMSIDEL.INI Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: I accept the terms in the license agreement
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Install
Source: Window Recorder Window detected: More than 3 window changes detected
Source: AGLCStructuredSettlementsInstaller.exe Static file information: File size 90597468 > 1048576
Source: AGLCStructuredSettlementsInstaller.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: AGLCStructuredSettlementsInstaller.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: AGLCStructuredSettlementsInstaller.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: AGLCStructuredSettlementsInstaller.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: AGLCStructuredSettlementsInstaller.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: AGLCStructuredSettlementsInstaller.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: AGLCStructuredSettlementsInstaller.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: AGLCStructuredSettlementsInstaller.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\Projects\12.2\BuildLabel\Temp\NetStudio.v12.2.2005\Win\DevExpress.Office\DevExpress.Office.Core\obj\Release\DevExpress.Office.v12.2.Core.pdb source: DevExpress.Office.v12.2.Core.dll.3.dr
Source: Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\setupPreReq.pdb source: AGLCStructuredSettlementsInstaller.exe
Source: Binary string: C:\CodeBases\isdev\Src\BackEnd\Locked\IsIcoRes\isicores.pdb source: Structured Settlements.msi0.1.dr
Source: Binary string: E:\jh\a1\211fd6b4\workspace\feature_td_merge12f3a54d\AGLCSS.ClientCase\obj\Release\AGLCSS.ClientCaseInfo.pdb source: AGLCSS.ClientCaseInfo.dll.3.dr
Source: Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\SetAllUsers.pdb source: Structured Settlements.msi0.1.dr
Source: Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\setupPreReq.pdbH source: AGLCStructuredSettlementsInstaller.exe
Source: Binary string: C:\CodeBases\isdev\redist\language independent\i386\ISRegSvr.pdb source: Structured Settlements.msi0.1.dr
Source: AGLCStructuredSettlementsInstaller.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: AGLCStructuredSettlementsInstaller.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: AGLCStructuredSettlementsInstaller.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: AGLCStructuredSettlementsInstaller.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: AGLCStructuredSettlementsInstaller.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains a suspicious time stamp
Source: Newtonsoft.Json.dll.3.dr Static PE information: 0x8AD6F8DA [Sun Oct 25 00:03:38 2043 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E38011 __EH_prolog3_GS,LoadLibraryW,GetProcAddress,#17, 0_2_00E38011
PE file contains sections with non-standard names
Source: AGLCStructuredSettlementsInstaller.exe Static PE information: section name: .didat
Source: AGLCStructuredSettlementsInstaller.exe.0.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E3A610 push ecx; ret 0_2_00E3A623
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E6477C push dword ptr [esp+ecx-75h]; iretd 0_2_00E64780
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E39B20 push ecx; ret 0_2_00E39B33
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: 1_2_0039A610 push ecx; ret 1_2_0039A623
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: 1_2_003C477C push dword ptr [esp+ecx-75h]; iretd 1_2_003C4780
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: 1_2_00399B20 push ecx; ret 1_2_00399B33
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.Data.v10.2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.Utils.v10.2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.XtraNavBar.v12.2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.XtraGrid.v12.2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\System.Numerics.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\Wnl.SS.Quote.QuoteProcessor.DomainLayer.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.Calc.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.XtraLayout.v12.2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.RichEdit.v12.2.Core.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\Ciloci.Flee.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.Enumerations.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\RestSharp.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.Printing.v12.2.Core.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.BonusSkins.v12.2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\IMG.WCF.BehaviourExtension.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.Deployment.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.Office.v12.2.Core.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.ClientCaseInfo.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.Messages.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\Kjs.AppLife.Update.Controller.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{7A470A9C-C6D5-411A-9E66-42C3D1BCC10D}\_1B086178_A74C_45CD_B17B_C24F85AAF899 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\TallComponents.PDF.Controls.WinForms.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.Data.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.Web.v12.2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.ClientReader.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{7A470A9C-C6D5-411A-9E66-42C3D1BCC10D}\DesktopShortcut_9CC916EFDE5E4C0BBC65AF72911A3204.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.ProductInfo.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.Agents.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.ClientInfo.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{7A470A9C-C6D5-411A-9E66-42C3D1BCC10D}\ApplicationShortcu_5528DECE9BBB4B31B1CE01660AA713F5.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.Mortality.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.XtraEditors.v10.2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.Validation.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\System.Data.SQLite.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\System.Dynamic.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\x86\SQLite.Interop.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\Newtonsoft.Json.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.XtraRichEdit.v12.2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.Credit.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.Splash.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\System.Data.SQLite.EF6.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\IntegratedCalculationEngine.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.PDFViewer.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\Microsoft.CSharp.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.XtraTreeList.v12.2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.Data.v12.2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\Wnl.SS.Quote.QuoteProcessor.DataTransformationLayer.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\Aspose.PDF.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\EntityFramework.SqlServer.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{7A470A9C-C6D5-411A-9E66-42C3D1BCC10D}\ARPPRODUCTICON.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.XtraBars.v12.2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.Activation.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\itextsharp.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.Print.dll Jump to dropped file
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe File created: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\EntityFramework.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.Helpers.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DotNetZip.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\System.Data.SQLite.Linq.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.XtraEditors.v12.2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\x64\SQLite.Interop.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.Utils.v12.2.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{7A470A9C-C6D5-411A-9E66-42C3D1BCC10D}\_1B086178_A74C_45CD_B17B_C24F85AAF899 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{7A470A9C-C6D5-411A-9E66-42C3D1BCC10D}\DesktopShortcut_9CC916EFDE5E4C0BBC65AF72911A3204.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{7A470A9C-C6D5-411A-9E66-42C3D1BCC10D}\ApplicationShortcu_5528DECE9BBB4B31B1CE01660AA713F5.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{7A470A9C-C6D5-411A-9E66-42C3D1BCC10D}\ARPPRODUCTICON.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{7A470A9C-C6D5-411A-9E66-42C3D1BCC10D}\_1B086178_A74C_45CD_B17B_C24F85AAF899 Jump to dropped file
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E0F0D0 __EH_prolog3_GS,CoCreateGuid,CreateDirectoryW,GetPrivateProfileStringW,CreateDirectoryW, 0_2_00E0F0D0
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: 1_2_0036F0D0 __EH_prolog3_GS,CoCreateGuid,CreateDirectoryW,GetPrivateProfileStringW,CreateDirectoryW, 1_2_0036F0D0
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\EULA.rtf Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\System32\msiexec.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Corebridge Financial Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Corebridge Financial\Structured Settlements Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Corebridge Financial\Structured Settlements\AGLC Structured Settlements.lnk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.Data.v10.2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.Utils.v10.2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.XtraNavBar.v12.2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.XtraGrid.v12.2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\System.Numerics.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\Wnl.SS.Quote.QuoteProcessor.DomainLayer.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.Calc.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.XtraLayout.v12.2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.RichEdit.v12.2.Core.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.Enumerations.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\Ciloci.Flee.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\RestSharp.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.Printing.v12.2.Core.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.Deployment.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.BonusSkins.v12.2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\IMG.WCF.BehaviourExtension.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.Office.v12.2.Core.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.ClientCaseInfo.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.Messages.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\Kjs.AppLife.Update.Controller.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\{7A470A9C-C6D5-411A-9E66-42C3D1BCC10D}\_1B086178_A74C_45CD_B17B_C24F85AAF899 Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\TallComponents.PDF.Controls.WinForms.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.Data.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.Web.v12.2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.ClientReader.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.ProductInfo.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\{7A470A9C-C6D5-411A-9E66-42C3D1BCC10D}\DesktopShortcut_9CC916EFDE5E4C0BBC65AF72911A3204.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.Agents.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.ClientInfo.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\{7A470A9C-C6D5-411A-9E66-42C3D1BCC10D}\ApplicationShortcu_5528DECE9BBB4B31B1CE01660AA713F5.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.Mortality.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.XtraEditors.v10.2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.Validation.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\System.Data.SQLite.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\System.Dynamic.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\x86\SQLite.Interop.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\Newtonsoft.Json.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.XtraRichEdit.v12.2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.Credit.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.Splash.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\System.Data.SQLite.EF6.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\IntegratedCalculationEngine.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.PDFViewer.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\Microsoft.CSharp.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.XtraTreeList.v12.2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.Data.v12.2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\Wnl.SS.Quote.QuoteProcessor.DataTransformationLayer.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\Aspose.PDF.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\EntityFramework.SqlServer.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\{7A470A9C-C6D5-411A-9E66-42C3D1BCC10D}\ARPPRODUCTICON.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.XtraBars.v12.2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.Activation.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\itextsharp.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.Print.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\EntityFramework.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\AGLCSS.Helpers.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DotNetZip.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\System.Data.SQLite.Linq.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.XtraEditors.v12.2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\DevExpress.Utils.v12.2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\AGL\Structured Settlements\x64\SQLite.Interop.dll Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe API coverage: 6.3 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E2C759 __EH_prolog3_GS,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,DeleteFileW,FindClose, 0_2_00E2C759
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E154A5 __EH_prolog3_GS,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,FindClose, 0_2_00E154A5
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: 1_2_003754A5 __EH_prolog3_GS,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,FindClose, 1_2_003754A5
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: 1_2_0038C759 __EH_prolog3_GS,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,DeleteFileW,FindClose, 1_2_0038C759
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E36278 __EH_prolog3,CreateFileW,CreateFileMappingW,GetSystemInfo,MapViewOfFile,IsBadReadPtr,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,IsBadReadPtr,GetLastError,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle, 0_2_00E36278
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E567F9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00E567F9
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E38011 __EH_prolog3_GS,LoadLibraryW,GetProcAddress,#17, 0_2_00E38011
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E5E71A mov eax, dword ptr fs:[00000030h] 0_2_00E5E71A
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: 1_2_003BE71A mov eax, dword ptr fs:[00000030h] 1_2_003BE71A
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00DF2400 GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,_strlen,_wcslen,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,ReadFile,GetProcessHeap,HeapFree, 0_2_00DF2400
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E3A060 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00E3A060
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E567F9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00E567F9
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E3A810 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00E3A810
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E3A9B5 SetUnhandledExceptionFilter, 0_2_00E3A9B5
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: 1_2_0039A060 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0039A060
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: 1_2_003B67F9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_003B67F9
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: 1_2_0039A810 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0039A810
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: 1_2_0039A9B5 SetUnhandledExceptionFilter, 1_2_0039A9B5
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E02230 GetDlgItem,GetDlgItem,GetModuleFileNameW,_wcslen,ShellExecuteExW,WaitForInputIdle,ShowWindow,WaitForSingleObject,GetExitCodeProcess,CloseHandle, 0_2_00E02230
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Process created: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe c:\users\user\appdata\local\temp\{978b1b8a-e3ca-4b77-9a20-8153b898500e}\aglcstructuredsettlementsinstaller.exe /q"c:\users\user\desktop\aglcstructuredsettlementsinstaller.exe" /tempdisk1folder"c:\users\user\appdata\local\temp\{978b1b8a-e3ca-4b77-9a20-8153b898500e}" /is_temp
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Process created: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe c:\users\user\appdata\local\temp\{978b1b8a-e3ca-4b77-9a20-8153b898500e}\aglcstructuredsettlementsinstaller.exe /q"c:\users\user\desktop\aglcstructuredsettlementsinstaller.exe" /tempdisk1folder"c:\users\user\appdata\local\temp\{978b1b8a-e3ca-4b77-9a20-8153b898500e}" /is_temp Jump to behavior
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E242EE __EH_prolog3_GS,InitializeSecurityDescriptor,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,SetEntriesInAclW,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,SetSecurityDescriptorDacl,CoInitializeSecurity,LocalFree, 0_2_00E242EE
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E4343D GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid, 0_2_00E4343D
Source: AGLCStructuredSettlementsInstaller.exe Binary or memory string: Shell_TrayWnd
Source: AGLCStructuredSettlementsInstaller.exe Binary or memory string: BShell_TrayWnd0x0409DevStudio/IDE/Workspaces/MM_FilesExlusion/FilesExlusionMM_GUIDInclusionFileNamesDevStudio/IDE/Workspaces/CustomAction/*IS_ActionTypeDescriptionDevStudio/IDE/Workspaces/CustomAction/IS_Action[@Name="{GUID}.%s"]DevStudio/IDE/Workspaces/UpdateService/ISUS_CmdLineDevStudio/IDE/Workspaces/MsiDialog/DialogLockDevStudio/IDE/Workspaces/ScriptDialog/IS_ScriptDialogDisplayNameScriptMSIOnlyDevStudio/IDE/Workspaces/ScriptDialog/IS_ScriptTextStyleLangFaceNameSizeStyleBitsColorDevStudio/Scanners/DotNetExclusionListPathDevStudio/IDE/NewProjectDlg/IS_HidePrjTypeEPrjTypeDevStudio/IDE/Workspaces/SQLScripts/IS_MetaDataAdoDriverNameAdoCxnDriverAdoCxnServerAdoCxnDatabaseAdoCxnUserIDAdoCxnPasswordAdoCxnWindowsSecurityAdoCxnNetLibraryVersionBeginTokenVersionEndTokenVersionInfoCmdTestDatabaseCmdTestTableCmdLocalInstanceNamesCreateDbCmdSwitchDbCmdISAttributesTestTableCmd2WinAuthentUserIdDsnODBCNameAdoCxnPortAdoCxnAdditionalQueryDatabasesCmdCreateTableCmdInsertRecordCmdSelectTableCmdScriptVersion_TableScriptVersion_ColumnScriptVersion_ColumnTypePRQFileX86PRQFileX64DevStudio/IDE/Workspaces/SQLScripts/IS_MetaData[@Name="%s"]/Properties/PropertyDevStudio/IDE/Workspaces/SQLScripts/IS_MetaData[@Name="%s"]/ProductVersions/ProductVersionMajorVersionServicePackLevelDevStudio/IDE/Workspaces/SQLScripts/IS_MetaData[@Name="%s"]/Drivers/DriverDevStudio/IDE/Workspaces/SQLScripts/DBImport_ColumnTypeNullableDefaultValueDevStudio/IDE/Workspaces/SQLScripts/DBImport_BulkCopyPropRowDelimiterColumnDelimiterDevStudio/Build/Settings/MSI30DevStudio/Build/Settings/MSI31versionDevStudio/Build/DotNetRedistributables/NetFx[@key="0"]DevStudio/Build/DotNetRedistributables/NetFx[@key="1"]DevStudio/Build/DotNetRedistributables/NetFx[@key="2"]VersionCoreLangLangPackDevStudio/IDE/Workspaces/ClickOnce/Permissions/*ZonesSourceMetaDataDevStudio/DIM/PredefinedTargetFolders/PredefinedTargetFolderVarNameVarValueDevStudio/DIM/Languages/LanguageMsiLangIdCountryVariantIdDevStudio/IDE/StringImportExport/StringImportEscCharsAsLiteralDevStudio/ISXML/Encodings/EncodingDevStudio/Build/EmptyTableDispositionDevStudio/Build/EmptyTableDisposition/*KeepDropRef:DevStudio/Build/WarningsDisableDevStudio/Build/DirectoryReferences/ReferenceTableColumnDevStudio/Build/DigitalSignatureDevStudio/Build/DigitalSignature[@TimestampRFC3161]TimestampTimestampRFC3161DevStudio/Build/DelayBetweenSigningdefaultDevStudio/Build/DigitalSignature[@Platform]PlatformDevStudio/Build/DigitalSignature[@ValidateSetupAndMSISignatures]ValidateSetupAndMSISignaturesDevStudio/Build/ComExtractionTimeoutDevStudio/ISMobile/MobileDevices/MobileDeviceMaskDevStudio/ISMobile/MobileDevices/MobileDevice[@Mask="%d"]DevStudio/ISMobile/MobileDevices/MobileDevice[@Mask="%d"]/UnsupportedPlatforms/PlatformPlatformMinPlatformMaxDeviceNamePlatformNamePlatformStringBuildMaxScreenSupportDevStudio/ISMobile/MobileRedists/MobileRedistDevStudio/ISMobile/MobileRedists/MobileRedist[@Name="%s"]/ShortCabFileNames/ShortCabFileExtDevStudio/ISMobile/MobileRedistPath
Source: AGLCStructuredSettlementsInstaller.exe, 00000001.00000000.1784594942.00000000003E5000.00000002.00000001.01000000.00000004.sdmp, AGLCStructuredSettlementsInstaller.exe, 00000001.00000002.2229880234.00000000003E5000.00000002.00000001.01000000.00000004.sdmp Binary or memory string: 6Shell_TrayWnd0x0409DevStudio/IDE/Workspaces/MM_FilesExlusion/FilesExlusionMM_GUIDInclusionFileNamesDevStudio/IDE/Workspaces/CustomAction/*IS_ActionTypeDescriptionDevStudio/IDE/Workspaces/CustomAction/IS_Action[@Name="{GUID}.%s"]DevStudio/IDE/Workspaces/UpdateService/ISUS_CmdLineDevStudio/IDE/Workspaces/MsiDialog/DialogLockDevStudio/IDE/Workspaces/ScriptDialog/IS_ScriptDialogDisplayNameScriptMSIOnlyDevStudio/IDE/Workspaces/ScriptDialog/IS_ScriptTextStyleLangFaceNameSizeStyleBitsColorDevStudio/Scanners/DotNetExclusionListPathDevStudio/IDE/NewProjectDlg/IS_HidePrjTypeEPrjTypeDevStudio/IDE/Workspaces/SQLScripts/IS_MetaDataAdoDriverNameAdoCxnDriverAdoCxnServerAdoCxnDatabaseAdoCxnUserIDAdoCxnPasswordAdoCxnWindowsSecurityAdoCxnNetLibraryVersionBeginTokenVersionEndTokenVersionInfoCmdTestDatabaseCmdTestTableCmdLocalInstanceNamesCreateDbCmdSwitchDbCmdISAttributesTestTableCmd2WinAuthentUserIdDsnODBCNameAdoCxnPortAdoCxnAdditionalQueryDatabasesCmdCreateTableCmdInsertRecordCmdSelectTableCmdScriptVersion_TableScriptVersion_ColumnScriptVersion_ColumnTypePRQFileX86PRQFileX64DevStudio/IDE/Workspaces/SQLScripts/IS_MetaData[@Name="%s"]/Properties/PropertyDevStudio/IDE/Workspaces/SQLScripts/IS_MetaData[@Name="%s"]/ProductVersions/ProductVersionMajorVersionServicePackLevelDevStudio/IDE/Workspaces/SQLScripts/IS_MetaData[@Name="%s"]/Drivers/DriverDevStudio/IDE/Workspaces/SQLScripts/DBImport_ColumnTypeNullableDefaultValueDevStudio/IDE/Workspaces/SQLScripts/DBImport_BulkCopyPropRowDelimiterColumnDelimiterDevStudio/Build/Settings/MSI30DevStudio/Build/Settings/MSI31versionDevStudio/Build/DotNetRedistributables/NetFx[@key="0"]DevStudio/Build/DotNetRedistributables/NetFx[@key="1"]DevStudio/Build/DotNetRedistributables/NetFx[@key="2"]VersionCoreLangLangPackDevStudio/IDE/Workspaces/ClickOnce/Permissions/*ZonesSourceMetaDataDevStudio/DIM/PredefinedTargetFolders/PredefinedTargetFolderVarNameVarValueDevStudio/DIM/Languages/LanguageMsiLangIdCountryVariantIdDevStudio/IDE/StringImportExport/StringImportEscCharsAsLiteralDevStudio/ISXML/Encodings/EncodingDevStudio/Build/EmptyTableDispositionDevStudio/Build/EmptyTableDisposition/*KeepDropRef:DevStudio/Build/WarningsDisableDevStudio/Build/DirectoryReferences/ReferenceTableColumnDevStudio/Build/DigitalSignatureDevStudio/Build/DigitalSignature[@TimestampRFC3161]TimestampTimestampRFC3161DevStudio/Build/DelayBetweenSigningdefaultDevStudio/Build/DigitalSignature[@Platform]PlatformDevStudio/Build/DigitalSignature[@ValidateSetupAndMSISignatures]ValidateSetupAndMSISignaturesDevStudio/Build/ComExtractionTimeoutDevStudio/ISMobile/MobileDevices/MobileDeviceMaskDevStudio/ISMobile/MobileDevices/MobileDevice[@Mask="%d"]DevStudio/ISMobile/MobileDevices/MobileDevice[@Mask="%d"]/UnsupportedPlatforms/PlatformPlatformMinPlatformMaxDeviceNamePlatformNamePlatformStringBuildMaxScreenSupportDevStudio/ISMobile/MobileRedists/MobileRedistDevStudio/ISMobile/MobileRedists/MobileRedist[@Name="%s"]/ShortCabFileNames/ShortCabFileExtDevStudio/ISMobile/MobileRedistPath
Source: AGLCStructuredSettlementsInstaller.exe, 00000000.00000002.2231591525.0000000000E85000.00000002.00000001.01000000.00000003.sdmp, AGLCStructuredSettlementsInstaller.exe, 00000000.00000000.1759602922.0000000000E85000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: Shell_TrayWnd0x0409DevStudio/IDE/Workspaces/MM_FilesExlusion/FilesExlusionMM_GUIDInclusionFileNamesDevStudio/IDE/Workspaces/CustomAction/*IS_ActionTypeDescriptionDevStudio/IDE/Workspaces/CustomAction/IS_Action[@Name="{GUID}.%s"]DevStudio/IDE/Workspaces/UpdateService/ISUS_CmdLineDevStudio/IDE/Workspaces/MsiDialog/DialogLockDevStudio/IDE/Workspaces/ScriptDialog/IS_ScriptDialogDisplayNameScriptMSIOnlyDevStudio/IDE/Workspaces/ScriptDialog/IS_ScriptTextStyleLangFaceNameSizeStyleBitsColorDevStudio/Scanners/DotNetExclusionListPathDevStudio/IDE/NewProjectDlg/IS_HidePrjTypeEPrjTypeDevStudio/IDE/Workspaces/SQLScripts/IS_MetaDataAdoDriverNameAdoCxnDriverAdoCxnServerAdoCxnDatabaseAdoCxnUserIDAdoCxnPasswordAdoCxnWindowsSecurityAdoCxnNetLibraryVersionBeginTokenVersionEndTokenVersionInfoCmdTestDatabaseCmdTestTableCmdLocalInstanceNamesCreateDbCmdSwitchDbCmdISAttributesTestTableCmd2WinAuthentUserIdDsnODBCNameAdoCxnPortAdoCxnAdditionalQueryDatabasesCmdCreateTableCmdInsertRecordCmdSelectTableCmdScriptVersion_TableScriptVersion_ColumnScriptVersion_ColumnTypePRQFileX86PRQFileX64DevStudio/IDE/Workspaces/SQLScripts/IS_MetaData[@Name="%s"]/Properties/PropertyDevStudio/IDE/Workspaces/SQLScripts/IS_MetaData[@Name="%s"]/ProductVersions/ProductVersionMajorVersionServicePackLevelDevStudio/IDE/Workspaces/SQLScripts/IS_MetaData[@Name="%s"]/Drivers/DriverDevStudio/IDE/Workspaces/SQLScripts/DBImport_ColumnTypeNullableDefaultValueDevStudio/IDE/Workspaces/SQLScripts/DBImport_BulkCopyPropRowDelimiterColumnDelimiterDevStudio/Build/Settings/MSI30DevStudio/Build/Settings/MSI31versionDevStudio/Build/DotNetRedistributables/NetFx[@key="0"]DevStudio/Build/DotNetRedistributables/NetFx[@key="1"]DevStudio/Build/DotNetRedistributables/NetFx[@key="2"]VersionCoreLangLangPackDevStudio/IDE/Workspaces/ClickOnce/Permissions/*ZonesSourceMetaDataDevStudio/DIM/PredefinedTargetFolders/PredefinedTargetFolderVarNameVarValueDevStudio/DIM/Languages/LanguageMsiLangIdCountryVariantIdDevStudio/IDE/StringImportExport/StringImportEscCharsAsLiteralDevStudio/ISXML/Encodings/EncodingDevStudio/Build/EmptyTableDispositionDevStudio/Build/EmptyTableDisposition/*KeepDropRef:DevStudio/Build/WarningsDisableDevStudio/Build/DirectoryReferences/ReferenceTableColumnDevStudio/Build/DigitalSignatureDevStudio/Build/DigitalSignature[@TimestampRFC3161]TimestampTimestampRFC3161DevStudio/Build/DelayBetweenSigningdefaultDevStudio/Build/DigitalSignature[@Platform]PlatformDevStudio/Build/DigitalSignature[@ValidateSetupAndMSISignatures]ValidateSetupAndMSISignaturesDevStudio/Build/ComExtractionTimeoutDevStudio/ISMobile/MobileDevices/MobileDeviceMaskDevStudio/ISMobile/MobileDevices/MobileDevice[@Mask="%d"]DevStudio/ISMobile/MobileDevices/MobileDevice[@Mask="%d"]/UnsupportedPlatforms/PlatformPlatformMinPlatformMaxDeviceNamePlatformNamePlatformStringBuildMaxScreenSupportDevStudio/ISMobile/MobileRedists/MobileRedistDevStudio/ISMobile/MobileRedists/MobileRedist[@Name="%s"]/ShortCabFileNames/ShortCabFileExtDevStudio/ISMobile/MobileRedistPaths
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E3A624 cpuid 0_2_00E3A624
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: GetLocaleInfoW,TranslateCharsetInfo,IsValidLocale, 0_2_00E042B5
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: GetLocaleInfoW, 0_2_00E379FE
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: GetLocaleInfoW,TranslateCharsetInfo,IsValidLocale, 0_2_00E37979
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: GetLocaleInfoW,TranslateCharsetInfo,IsValidLocale, 1_2_003642B5
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: GetLocaleInfoW,TranslateCharsetInfo,IsValidLocale, 1_2_00397979
Source: C:\Users\user\AppData\Local\Temp\{978B1B8A-E3CA-4B77-9A20-8153B898500E}\AGLCStructuredSettlementsInstaller.exe Code function: GetLocaleInfoW, 1_2_003979FE
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E3AA4B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00E3AA4B
Source: C:\Users\user\Desktop\AGLCStructuredSettlementsInstaller.exe Code function: 0_2_00E43421 GetVersion, 0_2_00E43421
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1428780 Sample: AGLCStructuredSettlementsIn... Startdate: 19/04/2024 Architecture: WINDOWS Score: 25 31 Yara detected Generic Downloader 2->31 8 msiexec.exe 306 554 2->8         started        11 AGLCStructuredSettlementsInstaller.exe 8 2->11         started        process3 file4 21 TallComponents.PDF.Controls.WinForms.dll, PE32 8->21 dropped 23 C:\...\_1B086178_A74C_45CD_B17B_C24F85AAF899, PE32 8->23 dropped 25 DesktopShortcut_9C...C65AF72911A3204.exe, PE32 8->25 dropped 29 59 other files (none is malicious) 8->29 dropped 27 C:\...\AGLCStructuredSettlementsInstaller.exe, PE32 11->27 dropped 13 AGLCStructuredSettlementsInstaller.exe 16 11->13         started        process5 process6 15 cmd.exe 1 13->15         started        17 msiexec.exe 5 13->17         started        process7 19 conhost.exe 15->19         started       
No contacted IP infos