Windows Analysis Report
view_01-64.exe

Overview

General Information

Sample name: view_01-64.exe
Analysis ID: 1431424
MD5: 72ac0fb34f691758105bbc4eb920ad8a
SHA1: 6e4f9dedfeed0d06aec464584ca510ce08cbb5f4
SHA256: ff6cc44c832e3318bc9d673f8eb053666d38002698814c23c88df9a6d357fd66
Infos:

Detection

Score: 30
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\FURUNO\VR-7000\Viewer\is-MFO1U.tmp ReversingLabs: Detection: 25%
Source: C:\Program Files (x86)\FURUNO\VR-7000\Viewer\is-MFO1U.tmp Virustotal: Detection: 34% Perma Link
Source: C:\Program Files (x86)\FURUNO\VR-7000\Viewer\is-QTH30.tmp ReversingLabs: Detection: 21%
Source: C:\Program Files (x86)\FURUNO\VR-7000\Viewer\is-QTH30.tmp Virustotal: Detection: 34% Perma Link
Source: C:\Program Files (x86)\FURUNO\VR-7000\Viewer\liveplayer.exe (copy) ReversingLabs: Detection: 21%
Source: C:\Program Files (x86)\FURUNO\VR-7000\Viewer\liveplayer.exe (copy) Virustotal: Detection: 34% Perma Link
Source: C:\Program Files (x86)\FURUNO\VR-7000\Viewer\maintenance.exe (copy) ReversingLabs: Detection: 25%
Source: C:\Program Files (x86)\FURUNO\VR-7000\Viewer\maintenance.exe (copy) Virustotal: Detection: 34% Perma Link
Multi AV Scanner detection for submitted file
Source: view_01-64.exe Virustotal: Detection: 12% Perma Link
Uses 32bit PE files
Source: view_01-64.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VR-7000_is1 Jump to behavior
Source: Binary string: e:\scada_win\obj\Release.clientrecorder\clientrecorder.pdb source: clientrecorder.exe.13.dr
Source: Binary string: c:\furuno\scada_win\obj\Release.rcplayer\rcplayer.pdb source: view_01-64.tmp, 00000001.00000003.1944388445.00000000061E7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: NB10nlO6L:\jcomm\src\win32\jcomm1.0\ext\comm\build\win32\win32com.pdb source: is-JN5IK.tmp.1.dr
Source: Binary string: c:\furuno\scada_win\app\confirmdialog\debug\confirmDialog.pdb source: is-KLCB3.tmp.1.dr
Source: Binary string: e:\scada_win\obj\Release.rcplayer\rcplayer.pdb source: rcplayer.exe.13.dr
Source: Binary string: c:\furuno\scada_win\obj\Release.extclient\extclient.pdb source: view_01-64.tmp, 00000001.00000003.1944388445.0000000005D10000.00000004.00001000.00020000.00000000.sdmp, is-8706V.tmp.1.dr
Source: Binary string: L:\jcomm\src\win32\jcomm1.0\ext\comm\build\win32\win32com.pdb source: is-JN5IK.tmp.1.dr
Source: Binary string: e:\scada_win\obj\Release.extclient\extclient.pdb source: xcopy.exe, 0000000F.00000003.1874316381.0000028490F2E000.00000004.00000020.00020000.00000000.sdmp, extclient.exe.13.dr
Source: Binary string: c:\workspace\src\client\scada_win\obj\Release.combine\combine.pdb source: is-RRTAP.tmp.1.dr
Source: Binary string: e:\scada_win\obj\Release.speedtest\speedtest.pdb source: is-CKFTJ.tmp.1.dr
Source: Binary string: e:\scada_win\obj\Release.liveremoteconverter\liveremoteconverter.pdb source: is-596LT.tmp.1.dr
Source: Binary string: e:\scada_win\obj\Release.VdrCheckFileTest\VdrCheckFileTest.pdb source: is-7UQKD.tmp.1.dr
Source: Binary string: e:\scada_win\obj\Release.ServiceMinit\ServiceMinit.pdb source: ServiceMinit.exe, ServiceMinit.exe, 00000006.00000000.1852164506.0000000000430000.00000002.00000001.01000000.00000008.sdmp, ServiceMinit.exe, 00000006.00000002.1853005194.0000000000430000.00000002.00000001.01000000.00000008.sdmp, ServiceMinit.exe, 00000007.00000000.1853570408.0000000000430000.00000002.00000001.01000000.00000008.sdmp, ServiceMinit.exe, 00000007.00000002.1855826199.0000000000430000.00000002.00000001.01000000.00000008.sdmp, is-0KHA3.tmp.1.dr
Source: Binary string: e:\scada_win\obj\Release.ServiceMinit\ServiceMinit.pdb$ source: ServiceMinit.exe, 00000006.00000000.1852164506.0000000000430000.00000002.00000001.01000000.00000008.sdmp, ServiceMinit.exe, 00000006.00000002.1853005194.0000000000430000.00000002.00000001.01000000.00000008.sdmp, ServiceMinit.exe, 00000007.00000000.1853570408.0000000000430000.00000002.00000001.01000000.00000008.sdmp, ServiceMinit.exe, 00000007.00000002.1855826199.0000000000430000.00000002.00000001.01000000.00000008.sdmp, is-0KHA3.tmp.1.dr
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00452A60 FindFirstFileA,GetLastError, 1_2_00452A60
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00474F88 FindFirstFileA,FindNextFileA,FindClose, 1_2_00474F88
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose, 1_2_004980A4
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_00464158
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00462750 FindFirstFileA,FindNextFileA,FindClose, 1_2_00462750
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_00463CDC
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_0040D61A __getdrive,FindFirstFileA,__fullpath,__fullpath,_strlen,_IsRootUNCName,GetDriveTypeA,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose, 6_2_0040D61A
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_00417C6D __getdrive,FindFirstFileA,__fullpath,__fullpath,_strlen,_IsRootUNCName,GetDriveTypeA,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose, 6_2_00417C6D
Source: is-1445O.tmp.1.dr String found in binary or memory: http://www.apache.org/licenses/
Source: is-1445O.tmp.1.dr String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: view_01-64.tmp, view_01-64.tmp, 00000001.00000002.1946339227.0000000000401000.00000020.00000001.01000000.00000004.sdmp String found in binary or memory: http://www.innosetup.com/
Source: view_01-64.exe String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: view_01-64.exe String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: view_01-64.exe, 00000000.00000003.1644115575.00000000020F8000.00000004.00001000.00020000.00000000.sdmp, view_01-64.exe, 00000000.00000003.1643980688.0000000002400000.00000004.00001000.00020000.00000000.sdmp, view_01-64.tmp, view_01-64.tmp, 00000001.00000002.1946339227.0000000000401000.00000020.00000001.01000000.00000004.sdmp String found in binary or memory: http://www.remobjects.com/ps
Source: view_01-64.exe, 00000000.00000003.1644115575.00000000020F8000.00000004.00001000.00020000.00000000.sdmp, view_01-64.exe, 00000000.00000003.1643980688.0000000002400000.00000004.00001000.00020000.00000000.sdmp, view_01-64.tmp, 00000001.00000002.1946339227.0000000000401000.00000020.00000001.01000000.00000004.sdmp String found in binary or memory: http://www.remobjects.com/psU

System Summary
barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00423B84 NtdllDefWindowProc_A, 1_2_00423B84
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_004125D8 NtdllDefWindowProc_A, 1_2_004125D8
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00478AC0 NtdllDefWindowProc_A, 1_2_00478AC0
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_0042F520 NtdllDefWindowProc_A, 1_2_0042F520
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00457594 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A, 1_2_00457594
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_0042E934: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError, 1_2_0042E934
Contains functionality to delete services
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_00406140 InitializeCriticalSection,EnterCriticalSection,OpenSCManagerA,MessageBoxA,OpenServiceA,CloseServiceHandle,MessageBoxA,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,MessageBoxA, 6_2_00406140
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\view_01-64.exe Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 1_2_004555E4
Detected potential crypto function
Source: C:\Users\user\Desktop\view_01-64.exe Code function: 0_2_0040840C 0_2_0040840C
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_004706A8 1_2_004706A8
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_004809F7 1_2_004809F7
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_004673A4 1_2_004673A4
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_0043035C 1_2_0043035C
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_004444C8 1_2_004444C8
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_004345C4 1_2_004345C4
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00444A70 1_2_00444A70
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00486BD0 1_2_00486BD0
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00430EE8 1_2_00430EE8
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_0045F0C4 1_2_0045F0C4
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00445168 1_2_00445168
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_0045B174 1_2_0045B174
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_004352C8 1_2_004352C8
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00469404 1_2_00469404
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00445574 1_2_00445574
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_004519BC 1_2_004519BC
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00487B30 1_2_00487B30
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_0043DD50 1_2_0043DD50
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_0048DF54 1_2_0048DF54
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_00418ED5 6_2_00418ED5
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_004123D5 6_2_004123D5
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_0042A578 6_2_0042A578
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_00425581 6_2_00425581
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_00432603 6_2_00432603
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_00411722 6_2_00411722
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_004127F5 6_2_004127F5
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_00414846 6_2_00414846
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_00427A55 6_2_00427A55
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_00427B6B 6_2_00427B6B
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_00411BF5 6_2_00411BF5
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_0041DE5B 6_2_0041DE5B
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_00412F70 6_2_00412F70
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_00411FC9 6_2_00411FC9
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: String function: 00401220 appears 81 times
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: String function: 00413950 appears 84 times
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: String function: 004188A9 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: String function: 00408C0C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: String function: 00406AC4 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: String function: 0040595C appears 117 times
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: String function: 00457F1C appears 73 times
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: String function: 00403400 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: String function: 00445DD4 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: String function: 00457D10 appears 96 times
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: String function: 004344DC appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: String function: 004078F4 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: String function: 00403494 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: String function: 00403684 appears 225 times
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: String function: 00453344 appears 97 times
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: String function: 004460A4 appears 59 times
PE file contains executable resources (Code or Archives)
Source: view_01-64.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: view_01-64.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: view_01-64.tmp.0.dr Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-5113G.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-5113G.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-5113G.tmp.1.dr Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Sample file is different than original file name gathered from version info
Source: view_01-64.exe, 00000000.00000003.1644115575.00000000020F8000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs view_01-64.exe
Source: view_01-64.exe, 00000000.00000003.1643980688.0000000002400000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs view_01-64.exe
Uses 32bit PE files
Source: view_01-64.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engine Classification label: sus30.winEXE@28/1012@0/0
Source: C:\Users\user\Desktop\view_01-64.exe Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 1_2_004555E4
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00455E0C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceExA,GetDiskFreeSpaceA, 1_2_00455E0C
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: InitializeCriticalSection,EnterCriticalSection,OpenSCManagerA,MessageBoxA,GetModuleFileNameA,CreateServiceA,CloseServiceHandle,MessageBoxA,CloseServiceHandle,CloseServiceHandle, 6_2_00405FE0
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_004051C0 CoCreateInstance,StringFromGUID2,lstrlenW,RegQueryInfoKeyA,RegQueryInfoKeyA, 6_2_004051C0
Source: C:\Users\user\Desktop\view_01-64.exe Code function: 0_2_00409C34 FindResourceA,SizeofResource,LoadResource,LockResource, 0_2_00409C34
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_00406280 InitializeCriticalSection,EnterCriticalSection,StartServiceCtrlDispatcherA,InitializeCriticalSection,EnterCriticalSection, 6_2_00406280
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_00406280 InitializeCriticalSection,EnterCriticalSection,StartServiceCtrlDispatcherA,InitializeCriticalSection,EnterCriticalSection, 6_2_00406280
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Users\user\AppData\Local\Programs Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7888:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8076:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7996:120:WilError_03
Source: C:\Users\user\Desktop\view_01-64.exe File created: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\FURUNO\VR-7000\CreateService.bat""
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe wscript InstSeverEnvironment.vbs
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Command line argument: UnregServer 6_2_00403970
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Command line argument: RegServer 6_2_00403970
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Command line argument: Service 6_2_00403970
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Command line argument: AppID 6_2_00403970
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Command line argument: LocalService 6_2_00403970
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File read: C:\Program Files (x86)\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\view_01-64.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: view_01-64.exe Virustotal: Detection: 12%
Source: view_01-64.exe String found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
Source: view_01-64.exe String found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\view_01-64.exe File read: C:\Users\user\Desktop\view_01-64.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\view_01-64.exe "C:\Users\user\Desktop\view_01-64.exe"
Source: C:\Users\user\Desktop\view_01-64.exe Process created: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp "C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp" /SL5="$7047C,14900298,56832,C:\Users\user\Desktop\view_01-64.exe"
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\FURUNO\VR-7000\CreateService.bat""
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop "VDR Servers Service"
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe server\bin\ServiceMinit.exe /UnregServer
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe server\bin\ServiceMinit.exe /Service
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\FURUNO\VR-7000\CreateSeverEnvironment.bat""
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe wscript InstSeverEnvironment.vbs
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\FURUNO\VR-7000\Viewer\CreateLatestBackup.bat""
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy /E /Y ..\_previous ..\_latest
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy /E /Y /U ..\dlls ..\_latest\dlls
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy /E /Y /U ..\server ..\_latest\server
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy /E /Y /U ..\Viewer ..\_latest\Viewer
Source: C:\Users\user\Desktop\view_01-64.exe Process created: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp "C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp" /SL5="$7047C,14900298,56832,C:\Users\user\Desktop\view_01-64.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\FURUNO\VR-7000\CreateService.bat"" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\FURUNO\VR-7000\CreateSeverEnvironment.bat"" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\FURUNO\VR-7000\Viewer\CreateLatestBackup.bat"" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop "VDR Servers Service" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe server\bin\ServiceMinit.exe /UnregServer Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe server\bin\ServiceMinit.exe /Service Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe wscript InstSeverEnvironment.vbs Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy /E /Y ..\_previous ..\_latest Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy /E /Y /U ..\dlls ..\_latest\dlls Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy /E /Y /U ..\server ..\_latest\server Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy /E /Y /U ..\Viewer ..\_latest\Viewer Jump to behavior
Source: C:\Users\user\Desktop\view_01-64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\view_01-64.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: ifsutil.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: ifsutil.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: ifsutil.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\xcopy.exe Section loaded: ulib.dll
Source: C:\Windows\System32\xcopy.exe Section loaded: ifsutil.dll
Source: C:\Windows\System32\xcopy.exe Section loaded: devobj.dll
Source: C:\Windows\System32\xcopy.exe Section loaded: fsutilext.dll
Source: C:\Windows\System32\xcopy.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\xcopy.exe File written: C:\Program Files (x86)\FURUNO\VR-7000\_latest\server\data\onlndb\Config.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Window found: window name: TMainForm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Automated click: Next >
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VR-7000_is1 Jump to behavior
Source: view_01-64.exe Static file information: File size 15161609 > 1048576
Source: Binary string: e:\scada_win\obj\Release.clientrecorder\clientrecorder.pdb source: clientrecorder.exe.13.dr
Source: Binary string: c:\furuno\scada_win\obj\Release.rcplayer\rcplayer.pdb source: view_01-64.tmp, 00000001.00000003.1944388445.00000000061E7000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: NB10nlO6L:\jcomm\src\win32\jcomm1.0\ext\comm\build\win32\win32com.pdb source: is-JN5IK.tmp.1.dr
Source: Binary string: c:\furuno\scada_win\app\confirmdialog\debug\confirmDialog.pdb source: is-KLCB3.tmp.1.dr
Source: Binary string: e:\scada_win\obj\Release.rcplayer\rcplayer.pdb source: rcplayer.exe.13.dr
Source: Binary string: c:\furuno\scada_win\obj\Release.extclient\extclient.pdb source: view_01-64.tmp, 00000001.00000003.1944388445.0000000005D10000.00000004.00001000.00020000.00000000.sdmp, is-8706V.tmp.1.dr
Source: Binary string: L:\jcomm\src\win32\jcomm1.0\ext\comm\build\win32\win32com.pdb source: is-JN5IK.tmp.1.dr
Source: Binary string: e:\scada_win\obj\Release.extclient\extclient.pdb source: xcopy.exe, 0000000F.00000003.1874316381.0000028490F2E000.00000004.00000020.00020000.00000000.sdmp, extclient.exe.13.dr
Source: Binary string: c:\workspace\src\client\scada_win\obj\Release.combine\combine.pdb source: is-RRTAP.tmp.1.dr
Source: Binary string: e:\scada_win\obj\Release.speedtest\speedtest.pdb source: is-CKFTJ.tmp.1.dr
Source: Binary string: e:\scada_win\obj\Release.liveremoteconverter\liveremoteconverter.pdb source: is-596LT.tmp.1.dr
Source: Binary string: e:\scada_win\obj\Release.VdrCheckFileTest\VdrCheckFileTest.pdb source: is-7UQKD.tmp.1.dr
Source: Binary string: e:\scada_win\obj\Release.ServiceMinit\ServiceMinit.pdb source: ServiceMinit.exe, ServiceMinit.exe, 00000006.00000000.1852164506.0000000000430000.00000002.00000001.01000000.00000008.sdmp, ServiceMinit.exe, 00000006.00000002.1853005194.0000000000430000.00000002.00000001.01000000.00000008.sdmp, ServiceMinit.exe, 00000007.00000000.1853570408.0000000000430000.00000002.00000001.01000000.00000008.sdmp, ServiceMinit.exe, 00000007.00000002.1855826199.0000000000430000.00000002.00000001.01000000.00000008.sdmp, is-0KHA3.tmp.1.dr
Source: Binary string: e:\scada_win\obj\Release.ServiceMinit\ServiceMinit.pdb$ source: ServiceMinit.exe, 00000006.00000000.1852164506.0000000000430000.00000002.00000001.01000000.00000008.sdmp, ServiceMinit.exe, 00000006.00000002.1853005194.0000000000430000.00000002.00000001.01000000.00000008.sdmp, ServiceMinit.exe, 00000007.00000000.1853570408.0000000000430000.00000002.00000001.01000000.00000008.sdmp, ServiceMinit.exe, 00000007.00000002.1855826199.0000000000430000.00000002.00000001.01000000.00000008.sdmp, is-0KHA3.tmp.1.dr
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_004502C0
PE file contains sections with non-standard names
Source: is-8V50C.tmp.1.dr Static PE information: section name: .textbss
Source: is-PPA9R.tmp.1.dr Static PE information: section name: .textbss
Source: is-596LT.tmp.1.dr Static PE information: section name: .textbss
Source: is-AP3B5.tmp.1.dr Static PE information: section name: .textbss
Source: is-CKFTJ.tmp.1.dr Static PE information: section name: .textbss
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\view_01-64.exe Code function: 0_2_004065C8 push 00406605h; ret 0_2_004065FD
Source: C:\Users\user\Desktop\view_01-64.exe Code function: 0_2_004040B5 push eax; ret 0_2_004040F1
Source: C:\Users\user\Desktop\view_01-64.exe Code function: 0_2_00408104 push ecx; mov dword ptr [esp], eax 0_2_00408109
Source: C:\Users\user\Desktop\view_01-64.exe Code function: 0_2_00404185 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\view_01-64.exe Code function: 0_2_00404206 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\view_01-64.exe Code function: 0_2_0040C218 push eax; ret 0_2_0040C219
Source: C:\Users\user\Desktop\view_01-64.exe Code function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\view_01-64.exe Code function: 0_2_00404283 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\view_01-64.exe Code function: 0_2_00408F38 push 00408F6Bh; ret 0_2_00408F63
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_0040994C push 00409989h; ret 1_2_00409981
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00483F88 push 00484096h; ret 1_2_0048408E
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_004062B4 push ecx; mov dword ptr [esp], eax 1_2_004062B5
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_004104E0 push ecx; mov dword ptr [esp], edx 1_2_004104E5
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00412928 push 0041298Bh; ret 1_2_00412983
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00494CAC push ecx; mov dword ptr [esp], ecx 1_2_00494CB1
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_0040CE38 push ecx; mov dword ptr [esp], edx 1_2_0040CE3A
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_004592D0 push 00459314h; ret 1_2_0045930C
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_0040F398 push ecx; mov dword ptr [esp], edx 1_2_0040F39A
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00443440 push ecx; mov dword ptr [esp], ecx 1_2_00443444
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_0040546D push eax; ret 1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_0040553D push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_004055BE push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00485678 push ecx; mov dword ptr [esp], ecx 1_2_0048567D
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_0040563B push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_004517F8 push 0045182Bh; ret 1_2_00451823
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_004519BC push ecx; mov dword ptr [esp], eax 1_2_004519C1
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00477B08 push ecx; mov dword ptr [esp], edx 1_2_00477B09
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00419C28 push ecx; mov dword ptr [esp], ecx 1_2_00419C2D
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_0045FD1C push ecx; mov dword ptr [esp], ecx 1_2_0045FD20
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00499D30 pushad ; retf 1_2_00499D3F
Source: is-6L83T.tmp.1.dr Static PE information: section name: .text entropy: 6.812097707799091
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\is-PPA9R.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\Viewer\is-84QUO.tmp Jump to dropped file
Source: C:\Windows\System32\xcopy.exe File created: C:\Program Files (x86)\FURUNO\VR-7000\_latest\dlls\VDRTransRtp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-5HDDL.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\TVRSocket.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\Viewer\maintenance.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-PCP74.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\confirmDialog.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\vsend.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\_previous\server\bin\is-OUSS8.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-6L83T.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-2397E.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\liveremoteconverter.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\is-8V50C.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\Viewer\liveplayer.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\Viewer\is-QTH30.tmp Jump to dropped file
Source: C:\Windows\System32\xcopy.exe File created: C:\Program Files (x86)\FURUNO\VR-7000\_latest\dlls\VDRAVCtrlJNI.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\_previous\server\bin\is-895CV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-SKTFO.tmp Jump to dropped file
Source: C:\Windows\System32\xcopy.exe File created: C:\Program Files (x86)\FURUNO\VR-7000\_latest\server\bin\rserv.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\is-5113G.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Users\user\AppData\Local\Temp\is-S4J2T.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\libvorbis.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\tar32.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\Viewer\is-MFO1U.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\libogg.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\speedtest.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\tarcmd.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\VDRTransRtp.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\extclient.exe (copy) Jump to dropped file
Source: C:\Windows\System32\xcopy.exe File created: C:\Program Files (x86)\FURUNO\VR-7000\_latest\server\bin\rcplayer.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-L1595.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\_previous\dlls\is-N0LRV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\libvorbisfile.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-OR35G.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\combine.exe (copy) Jump to dropped file
Source: C:\Windows\System32\xcopy.exe File created: C:\Program Files (x86)\FURUNO\VR-7000\_latest\server\bin\extclient.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\is-84GGN.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\_previous\server\bin\rcplayer.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\clientrecorder.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\libexpat.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\_previous\dlls\is-M5B6A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\rserv.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\UTSecureLayer.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\_previous\server\bin\extclient.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\_previous\dlls\VDRAVCtrlJNI.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-96783.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\rcplayer.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\is-SDE95.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\is-KVTDD.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-E2844.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\Viewer\combine.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\Viewer\speedtest.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\_previous\server\bin\is-8706V.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-CJB6D.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\confirmDialog.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-EGJ3O.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\is-CKFTJ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\TVRThread.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\Viewer\msend.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\libSecurityJNI.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\is-KLCB3.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\_previous\dlls\VDRTransRtp.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\Viewer\is-U7GO5.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\win32com.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\_previous\server\bin\is-VDN2J.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-5ROI4.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\remoteclient.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\is-0KHA3.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Users\user\AppData\Local\Temp\is-S4J2T.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-9JE74.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\is-RRTAP.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\VDRAVCtrlJNI.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\NmeaDecodeJNI.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-FURKP.tmp Jump to dropped file
Source: C:\Users\user\Desktop\view_01-64.exe File created: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\is-596LT.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\is-AP3B5.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-JN5IK.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-3H48C.tmp Jump to dropped file
Source: C:\Windows\System32\xcopy.exe File created: C:\Program Files (x86)\FURUNO\VR-7000\_latest\server\bin\clientrecorder.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\Viewer\is-PVGSK.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\AisLibraryJNI.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\VdrCheckFileTest.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-V337O.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\is-7UQKD.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\_previous\server\bin\rserv.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\dlls\TVRTrace.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\Program Files (x86)\FURUNO\VR-7000\_previous\server\bin\clientrecorder.exe (copy) Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VR-7000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VR-7000\Live Player V5 (01.64).lnk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VR-7000\VR-7000 VDR Maintenance Viewer (01.64).lnk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VR-7000\VR-7000 Uninstall.lnk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VR-7000 Previous Version Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VR-7000 Previous Version\Live Player V5 OLD (01.10).lnk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VR-7000 Previous Version\VR-7000 VDR Maintenance Viewer OLD (01.10).lnk Jump to behavior
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_00406280 InitializeCriticalSection,EnterCriticalSection,StartServiceCtrlDispatcherA,InitializeCriticalSection,EnterCriticalSection, 6_2_00406280
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop "VDR Servers Service"
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_0042285C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 1_2_0042285C
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 1_2_00423C0C
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 1_2_00423C0C
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_004241DC IsIconic,SetActiveWindow,SetFocus, 1_2_004241DC
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00424194 IsIconic,SetActiveWindow, 1_2_00424194
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00418384 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 1_2_00418384
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00417598 IsIconic,GetCapture, 1_2_00417598
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_0048393C IsIconic,GetWindowLongA,ShowWindow,ShowWindow, 1_2_0048393C
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00417CCE IsIconic,SetWindowPos, 1_2_00417CCE
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00417CD0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 1_2_00417CD0
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_0041F118 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 1_2_0041F118
Source: C:\Users\user\Desktop\view_01-64.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\is-PPA9R.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\Viewer\is-84QUO.tmp Jump to dropped file
Source: C:\Windows\System32\xcopy.exe Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\_latest\dlls\VDRTransRtp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\TVRSocket.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-5HDDL.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\Viewer\maintenance.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-PCP74.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\confirmDialog.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\vsend.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\_previous\server\bin\is-OUSS8.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-2397E.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-6L83T.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\liveremoteconverter.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\is-8V50C.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\Viewer\liveplayer.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\Viewer\is-QTH30.tmp Jump to dropped file
Source: C:\Windows\System32\xcopy.exe Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\_latest\dlls\VDRAVCtrlJNI.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\_previous\server\bin\is-895CV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-SKTFO.tmp Jump to dropped file
Source: C:\Windows\System32\xcopy.exe Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\_latest\server\bin\rserv.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\is-5113G.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-S4J2T.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\libvorbis.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\tar32.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\Viewer\is-MFO1U.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\libogg.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\speedtest.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\tarcmd.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\VDRTransRtp.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\extclient.exe (copy) Jump to dropped file
Source: C:\Windows\System32\xcopy.exe Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\_latest\server\bin\rcplayer.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-L1595.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\_previous\dlls\is-N0LRV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\libvorbisfile.dll (copy) Jump to dropped file
Source: C:\Windows\System32\xcopy.exe Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\_latest\server\bin\extclient.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\combine.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-OR35G.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\is-84GGN.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\_previous\server\bin\rcplayer.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\clientrecorder.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\libexpat.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\_previous\dlls\is-M5B6A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\rserv.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\UTSecureLayer.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\_previous\server\bin\extclient.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\_previous\dlls\VDRAVCtrlJNI.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\rcplayer.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-96783.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\is-SDE95.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\is-KVTDD.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-E2844.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\Viewer\combine.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\Viewer\speedtest.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\_previous\server\bin\is-8706V.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-CJB6D.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\confirmDialog.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-EGJ3O.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\is-CKFTJ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\TVRThread.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\libSecurityJNI.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\Viewer\msend.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\is-KLCB3.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\_previous\dlls\VDRTransRtp.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\win32com.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\Viewer\is-U7GO5.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\_previous\server\bin\is-VDN2J.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-5ROI4.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\remoteclient.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-S4J2T.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-9JE74.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\is-RRTAP.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\VDRAVCtrlJNI.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\NmeaDecodeJNI.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-FURKP.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\is-596LT.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\is-AP3B5.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-JN5IK.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-3H48C.tmp Jump to dropped file
Source: C:\Windows\System32\xcopy.exe Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\_latest\server\bin\clientrecorder.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\Viewer\is-PVGSK.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\AisLibraryJNI.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\VdrCheckFileTest.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\is-7UQKD.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\is-V337O.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\_previous\server\bin\rserv.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\_previous\server\bin\clientrecorder.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Dropped PE file which has not been started: C:\Program Files (x86)\FURUNO\VR-7000\dlls\TVRTrace.dll (copy) Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\view_01-64.exe Evasive API call chain: GetSystemTime,DecisionNodes
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00452A60 FindFirstFileA,GetLastError, 1_2_00452A60
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00474F88 FindFirstFileA,FindNextFileA,FindClose, 1_2_00474F88
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose, 1_2_004980A4
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_00464158
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00462750 FindFirstFileA,FindNextFileA,FindClose, 1_2_00462750
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_00463CDC
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_0040D61A __getdrive,FindFirstFileA,__fullpath,__fullpath,_strlen,_IsRootUNCName,GetDriveTypeA,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose, 6_2_0040D61A
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_00417C6D __getdrive,FindFirstFileA,__fullpath,__fullpath,_strlen,_IsRootUNCName,GetDriveTypeA,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose, 6_2_00417C6D
Source: C:\Users\user\Desktop\view_01-64.exe Code function: 0_2_00409B78 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery, 0_2_00409B78
Source: view_01-64.tmp, 00000001.00000003.1946055291.000000000065C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Y
Source: view_01-64.tmp, 00000001.00000003.1946055291.000000000065C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_0040D11E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_0040D11E
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_004502C0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_00413763 GetStartupInfoA,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__amsg_exit,__setenvp,__amsg_exit,__cinit,__amsg_exit,__wincmdln, 6_2_00413763
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_0040D11E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_0040D11E
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_0041FA65 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_0041FA65
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_0041EB5D SetUnhandledExceptionFilter,__encode_pointer, 6_2_0041EB5D
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_0041EB7F __decode_pointer,SetUnhandledExceptionFilter, 6_2_0041EB7F
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_00413E36 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_00413E36
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_00478504 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle, 1_2_00478504
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop "VDR Servers Service" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe server\bin\ServiceMinit.exe /UnregServer Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe server\bin\ServiceMinit.exe /Service Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe wscript InstSeverEnvironment.vbs Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy /E /Y ..\_previous ..\_latest Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy /E /Y /U ..\dlls ..\_latest\dlls Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy /E /Y /U ..\server ..\_latest\server Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\xcopy.exe xcopy /E /Y /U ..\Viewer ..\_latest\Viewer Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_0042E09C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid, 1_2_0042E09C
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_00421FCF cpuid 6_2_00421FCF
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\view_01-64.exe Code function: GetLocaleInfoA, 0_2_0040520C
Source: C:\Users\user\Desktop\view_01-64.exe Code function: GetLocaleInfoA, 0_2_00405258
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: GetLocaleInfoA, 1_2_00408568
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: GetLocaleInfoA, 1_2_004085B4
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 6_2_00422145
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: GetLocaleInfoA, 6_2_0042616A
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 6_2_0042410A
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 6_2_0040C1E4
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: _LcidFromHexString,GetLocaleInfoA, 6_2_0042624C
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 6_2_004262E2
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: _LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 6_2_00426354
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 6_2_0042436C
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 6_2_00426524
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: _strlen,EnumSystemLocalesA, 6_2_004265E6
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: GetLocaleInfoA, 6_2_0042D659
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 6_2_00426674
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 6_2_0042660F
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 6_2_004266B0
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoA, 6_2_0041A83C
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement, 6_2_004249FB
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement, 6_2_00424C7F
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,_malloc,GetLocaleInfoA,MultiByteToWideChar,__freea, 6_2_00423E57
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA, 6_2_00423FCD
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoW_stat, 6_2_00423F92
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_004585C8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle, 1_2_004585C8
Source: C:\Users\user\Desktop\view_01-64.exe Code function: 0_2_004026C4 GetSystemTime, 0_2_004026C4
Source: C:\Users\user\AppData\Local\Temp\is-2G7KF.tmp\view_01-64.tmp Code function: 1_2_0045559C GetUserNameA, 1_2_0045559C
Source: C:\Program Files (x86)\FURUNO\VR-7000\server\bin\ServiceMinit.exe Code function: 6_2_0041715D __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 6_2_0041715D
Source: C:\Users\user\Desktop\view_01-64.exe Code function: 0_2_00405CF4 GetVersionExA, 0_2_00405CF4
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1431424 Sample: view_01-64.exe Startdate: 25/04/2024 Architecture: WINDOWS Score: 30 58 Multi AV Scanner detection for dropped file 2->58 60 Multi AV Scanner detection for submitted file 2->60 8 view_01-64.exe 2 2->8         started        process3 file4 48 C:\Users\user\AppData\...\view_01-64.tmp, PE32 8->48 dropped 11 view_01-64.tmp 23 571 8->11         started        process5 file6 50 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 11->50 dropped 52 C:\...\unins000.exe (copy), PE32 11->52 dropped 54 C:\Program Files (x86)\...\vsend.exe (copy), PE32 11->54 dropped 56 81 other files (78 malicious) 11->56 dropped 14 cmd.exe 2 11->14         started        16 cmd.exe 1 11->16         started        18 cmd.exe 1 11->18         started        process7 process8 20 xcopy.exe 35 14->20         started        23 conhost.exe 14->23         started        38 3 other processes 14->38 25 wscript.exe 16->25         started        28 conhost.exe 16->28         started        30 ServiceMinit.exe 8 18->30         started        32 ServiceMinit.exe 1 18->32         started        34 conhost.exe 18->34         started        36 sc.exe 1 18->36         started        file9 40 C:\Program Files (x86)\FURUNO\...\rserv.exe, PE32 20->40 dropped 42 C:\Program Files (x86)\...\rcplayer.exe, PE32 20->42 dropped 44 C:\Program Files (x86)\...\extclient.exe, PE32 20->44 dropped 46 3 other malicious files 20->46 dropped 62 Windows Scripting host queries suspicious COM object (likely to drop second stage) 25->62 signatures10
No contacted IP infos