Click to jump to signature section
| Source: h4QtFUlwIz.exe | Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| Source: h4QtFUlwIz.exe | Static PE information: certificate valid |
| Source: | Binary string: wextract.pdb source: h4QtFUlwIz.exe |
| Source: | Binary string: C:\agent\_work\66\s\build\ship\x86\scaexec.pdb source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr |
| Source: | Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\SfxCA.pdb source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C51000.00000004.00000020.00020000.00000000.sdmp, h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C15000.00000004.00000020.00020000.00000000.sdmp, h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003D9A000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr |
| Source: | Binary string: C:\agent\_work\66\s\build\ship\x86\scasched.pdb source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr |
| Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr | String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
| Source: h4QtFUlwIz.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E |
| Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr | String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0 |
| Source: h4QtFUlwIz.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0 |
| Source: h4QtFUlwIz.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C |
| Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr | String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0 |
| Source: h4QtFUlwIz.exe | String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U |
| Source: h4QtFUlwIz.exe | String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0 |
| Source: h4QtFUlwIz.exe | String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G |
| Source: h4QtFUlwIz.exe | String found in binary or memory: http://crl.globalsign.com/root.crl0G |
| Source: h4QtFUlwIz.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0 |
| Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr | String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P |
| Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr | String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0= |
| Source: h4QtFUlwIz.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0 |
| Source: h4QtFUlwIz.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0 |
| Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr | String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E |
| Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr | String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02 |
| Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr | String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
| Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr | String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L |
| Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr | String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0 |
| Source: h4QtFUlwIz.exe | String found in binary or memory: http://ocsp.digicert.com0A |
| Source: h4QtFUlwIz.exe, VC234PATCH01.msp.0.dr | String found in binary or memory: http://ocsp.digicert.com0C |
| Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr | String found in binary or memory: http://ocsp.digicert.com0K |
| Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr | String found in binary or memory: http://ocsp.digicert.com0N |
| Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr | String found in binary or memory: http://ocsp.digicert.com0O |
| Source: h4QtFUlwIz.exe | String found in binary or memory: http://ocsp.digicert.com0X |
| Source: h4QtFUlwIz.exe | String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F |
| Source: h4QtFUlwIz.exe | String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U |
| Source: h4QtFUlwIz.exe | String found in binary or memory: http://ocsp.globalsign.com/rootr103 |
| Source: h4QtFUlwIz.exe | String found in binary or memory: http://ocsp.globalsign.com/rootr30; |
| Source: h4QtFUlwIz.exe | String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A |
| Source: h4QtFUlwIz.exe | String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0? |
| Source: h4QtFUlwIz.exe | String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06 |
| Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr | String found in binary or memory: http://wixtoolset.org |
| Source: VC234PATCH01.msp.0.dr | String found in binary or memory: http://www.opentext.com/2/global/services-home/services-support-contact.htmMoreInfoURLOptimizedInsta |
| Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr | String found in binary or memory: https://www.digicert.com/CPS0 |
| Source: h4QtFUlwIz.exe | String found in binary or memory: https://www.globalsign.com/repository/0 |
| Source: h4QtFUlwIz.exe | String found in binary or memory: https://www.opentext.com0 |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Code function: 0_2_0100871A | 0_2_0100871A |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Code function: 0_2_01009A1F | 0_2_01009A1F |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Code function: 0_2_01008DBD | 0_2_01008DBD |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Code function: 0_2_01008A3E | 0_2_01008A3E |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Code function: 0_2_010095E5 | 0_2_010095E5 |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Code function: 0_2_01009175 | 0_2_01009175 |
| Source: h4QtFUlwIz.exe | Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Windows 2000/XP setup, 16117495 bytes, 1 file, at 0x2c +A "VC234PATCH01.msp", ID 1153, number 1, 533 datablocks, 0x1503 compression |
| Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003BE3000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameCopySAPConnector.dlll% vs h4QtFUlwIz.exe |
| Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003BE3000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameSfxCA.dll\ vs h4QtFUlwIz.exe |
| Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameGACnetCheck.dlll% vs h4QtFUlwIz.exe |
| Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameSfxCA.dll\ vs h4QtFUlwIz.exe |
| Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenamescasched.dll\ vs h4QtFUlwIz.exe |
| Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenamescaexec.dll\ vs h4QtFUlwIz.exe |
| Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameCopySAPConnector.dlll% vs h4QtFUlwIz.exe |
| Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameSfxCA.dll\ vs h4QtFUlwIz.exe |
| Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003DA4000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameSetDefaultDatabaseConnection.dlll% vs h4QtFUlwIz.exe |
| Source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003DA4000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameSfxCA.dll\ vs h4QtFUlwIz.exe |
| Source: h4QtFUlwIz.exe | Binary or memory string: OriginalFilenameWEXTRACT.EXE h# vs h4QtFUlwIz.exe |
| Source: h4QtFUlwIz.exe | Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
| Source: classification engine | Classification label: clean2.winEXE@4/1@0/0 |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Code function: 0_2_01005190 GetDlgItem,GetDlgItem,ShowWindow,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA, | 0_2_01005190 |
| Source: h4QtFUlwIz.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
| Source: unknown | Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\" |
| Source: unknown | Process created: C:\Users\user\Desktop\h4QtFUlwIz.exe "C:\Users\user\Desktop\h4QtFUlwIz.exe" | |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Process created: C:\Windows\SysWOW64\msiexec.exe msiexec /p VC234PATCH01.msp REINSTALL=ALL REINSTALLMODE=amus /qf | |
| Source: unknown | Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\" | |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Process created: C:\Windows\SysWOW64\msiexec.exe msiexec /p VC234PATCH01.msp REINSTALL=ALL REINSTALLMODE=amus /qf | Jump to behavior |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Section loaded: apphelp.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Section loaded: aclayers.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Section loaded: mpr.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Section loaded: sfc.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Section loaded: sfc_os.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Section loaded: version.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Section loaded: feclient.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Section loaded: iertutil.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Section loaded: uxtheme.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Section loaded: textinputframework.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Section loaded: coreuicomponents.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Section loaded: coremessaging.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Section loaded: ntmarta.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Section loaded: wintypes.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Section loaded: wintypes.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Section loaded: wintypes.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Section loaded: textshaping.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Section loaded: advpack.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\msiexec.exe | Section loaded: apphelp.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\msiexec.exe | Section loaded: aclayers.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\msiexec.exe | Section loaded: mpr.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\msiexec.exe | Section loaded: sfc.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\msiexec.exe | Section loaded: sfc_os.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\msiexec.exe | Section loaded: msi.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\msiexec.exe | Section loaded: srpapi.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\msiexec.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\msiexec.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\msiexec.exe | Section loaded: duser.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\msiexec.exe | Section loaded: uxtheme.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\msiexec.exe | Section loaded: xmllite.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\msiexec.exe | Section loaded: atlthunk.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\msiexec.exe | Section loaded: textshaping.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\msiexec.exe | Section loaded: textinputframework.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\msiexec.exe | Section loaded: coreuicomponents.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\msiexec.exe | Section loaded: coremessaging.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\msiexec.exe | Section loaded: ntmarta.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\msiexec.exe | Section loaded: wintypes.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\msiexec.exe | Section loaded: wintypes.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\msiexec.exe | Section loaded: wintypes.dll | Jump to behavior |
| Source: h4QtFUlwIz.exe | Static PE information: certificate valid |
| Source: h4QtFUlwIz.exe | Static file information: File size 16199144 > 1048576 |
| Source: h4QtFUlwIz.exe | Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xf65800 |
| Source: h4QtFUlwIz.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
| Source: | Binary string: wextract.pdb source: h4QtFUlwIz.exe |
| Source: | Binary string: C:\agent\_work\66\s\build\ship\x86\scaexec.pdb source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr |
| Source: | Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\SfxCA.pdb source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C51000.00000004.00000020.00020000.00000000.sdmp, h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C15000.00000004.00000020.00020000.00000000.sdmp, h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003D9A000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr |
| Source: | Binary string: C:\agent\_work\66\s\build\ship\x86\scasched.pdb source: h4QtFUlwIz.exe, 00000000.00000003.1999194712.0000000003C5B000.00000004.00000020.00020000.00000000.sdmp, VC234PATCH01.msp.0.dr |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 | Jump to behavior |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 | Jump to behavior |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 | Jump to behavior |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0 | Jump to behavior |
| Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\h4QtFUlwIz.exe | Code function: 0_2_0100646B GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, | 0_2_0100646B |
Edit tour
h4QtFUlwIz.exe (PID: 2672 cmdline: 
msiexec.exe (PID: 3868 cmdline: 
rundll32.exe (PID: 6536 cmdline: 
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node