Source: h4QtFUlwIz.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: h4QtFUlwIz.exe |
Static PE information: certificate valid |
Source: |
Binary string: wextract.pdb source: h4QtFUlwIz.exe |
Source: |
Binary string: C:\agent\_work\66\s\build\ship\x86\scaexec.pdb source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr |
Source: |
Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\SfxCA.pdb source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C51000.00000004.00000020.00020000.00000000.sdmp, h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C15000.00000004.00000020.00020000.00000000.sdmp, h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003D9A000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr |
Source: |
Binary string: C:\agent\_work\66\s\build\ship\x86\scasched.pdb source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr |
Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: h4QtFUlwIz.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E |
Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
Source: h4QtFUlwIz.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0 |
Source: h4QtFUlwIz.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C |
Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr |
String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0 |
Source: h4QtFUlwIz.exe |
String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U |
Source: h4QtFUlwIz.exe |
String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0 |
Source: h4QtFUlwIz.exe |
String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G |
Source: h4QtFUlwIz.exe |
String found in binary or memory: http://crl.globalsign.com/root.crl0G |
Source: h4QtFUlwIz.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0 |
Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0= |
Source: h4QtFUlwIz.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0 |
Source: h4QtFUlwIz.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0 |
Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr |
String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E |
Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr |
String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L |
Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
Source: h4QtFUlwIz.exe |
String found in binary or memory: http://ocsp.digicert.com0A |
Source: h4QtFUlwIz.exe, VC234PATCH01.msp.0.dr |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr |
String found in binary or memory: http://ocsp.digicert.com0K |
Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr |
String found in binary or memory: http://ocsp.digicert.com0N |
Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr |
String found in binary or memory: http://ocsp.digicert.com0O |
Source: h4QtFUlwIz.exe |
String found in binary or memory: http://ocsp.digicert.com0X |
Source: h4QtFUlwIz.exe |
String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F |
Source: h4QtFUlwIz.exe |
String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U |
Source: h4QtFUlwIz.exe |
String found in binary or memory: http://ocsp.globalsign.com/rootr103 |
Source: h4QtFUlwIz.exe |
String found in binary or memory: http://ocsp.globalsign.com/rootr30; |
Source: h4QtFUlwIz.exe |
String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A |
Source: h4QtFUlwIz.exe |
String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0? |
Source: h4QtFUlwIz.exe |
String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06 |
Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr |
String found in binary or memory: http://wixtoolset.org |
Source: VC234PATCH01.msp.0.dr |
String found in binary or memory: http://www.opentext.com/2/global/services-home/services-support-contact.htmMoreInfoURLOptimizedInsta |
Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr |
String found in binary or memory: https://www.digicert.com/CPS0 |
Source: h4QtFUlwIz.exe |
String found in binary or memory: https://www.globalsign.com/repository/0 |
Source: h4QtFUlwIz.exe |
String found in binary or memory: https://www.opentext.com0 |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Code function: 0_2_0100871A |
0_2_0100871A |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Code function: 0_2_01009A1F |
0_2_01009A1F |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Code function: 0_2_01008DBD |
0_2_01008DBD |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Code function: 0_2_01008A3E |
0_2_01008A3E |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Code function: 0_2_010095E5 |
0_2_010095E5 |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Code function: 0_2_01009175 |
0_2_01009175 |
Source: h4QtFUlwIz.exe |
Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Windows 2000/XP setup, 16117495 bytes, 1 file, at 0x2c +A "VC234PATCH01.msp", ID 1153, number 1, 533 datablocks, 0x1503 compression |
Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003BE3000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameCopySAPConnector.dlll% vs h4QtFUlwIz.exe |
Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003BE3000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameSfxCA.dll\ vs h4QtFUlwIz.exe |
Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameGACnetCheck.dlll% vs h4QtFUlwIz.exe |
Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameSfxCA.dll\ vs h4QtFUlwIz.exe |
Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamescasched.dll\ vs h4QtFUlwIz.exe |
Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamescaexec.dll\ vs h4QtFUlwIz.exe |
Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameCopySAPConnector.dlll% vs h4QtFUlwIz.exe |
Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameSfxCA.dll\ vs h4QtFUlwIz.exe |
Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003DA4000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameSetDefaultDatabaseConnection.dlll% vs h4QtFUlwIz.exe |
Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003DA4000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameSfxCA.dll\ vs h4QtFUlwIz.exe |
Source: h4QtFUlwIz.exe |
Binary or memory string: OriginalFilenameWEXTRACT.EXE h# vs h4QtFUlwIz.exe |
Source: h4QtFUlwIz.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: classification engine |
Classification label: clean2.winEXE@4/1@0/0 |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Code function: 0_2_01005190 GetDlgItem,GetDlgItem,ShowWindow,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA, |
0_2_01005190 |
Source: h4QtFUlwIz.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: unknown |
Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\" |
Source: unknown |
Process created: C:\Users\user\Desktop\h4QtFUlwIz.exe "C:\Users\user\Desktop\h4QtFUlwIz.exe" |
|
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Process created: C:\Windows\SysWOW64\msiexec.exe msiexec /p VC234PATCH01.msp REINSTALL=ALL REINSTALLMODE=amus /qf |
|
Source: unknown |
Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\" |
|
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Process created: C:\Windows\SysWOW64\msiexec.exe msiexec /p VC234PATCH01.msp REINSTALL=ALL REINSTALLMODE=amus /qf |
Jump to behavior |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Section loaded: aclayers.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Section loaded: sfc_os.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Section loaded: feclient.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Section loaded: advpack.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: aclayers.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: sfc_os.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: msi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: srpapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: duser.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: xmllite.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: atlthunk.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\msiexec.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: h4QtFUlwIz.exe |
Static PE information: certificate valid |
Source: h4QtFUlwIz.exe |
Static file information: File size 16199144 > 1048576 |
Source: h4QtFUlwIz.exe |
Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xf65800 |
Source: h4QtFUlwIz.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: wextract.pdb source: h4QtFUlwIz.exe |
Source: |
Binary string: C:\agent\_work\66\s\build\ship\x86\scaexec.pdb source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr |
Source: |
Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\SfxCA.pdb source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C51000.00000004.00000020.00020000.00000000.sdmp, h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C15000.00000004.00000020.00020000.00000000.sdmp, h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003D9A000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr |
Source: |
Binary string: C:\agent\_work\66\s\build\ship\x86\scasched.pdb source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 |
Jump to behavior |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 |
Jump to behavior |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 |
Jump to behavior |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\h4QtFUlwIz.exe |
Code function: 0_2_0100646B GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, |
0_2_0100646B |