Windows Analysis Report Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Checks for available system drives (often done to infect USB drives)

Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: wextract.pdb source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source:	Binary string: C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup___Win32_Release\setup.pdb source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source:	Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb0#AD#A source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source:	Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source:	Binary string: C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup___Win32_Release\setup.pdba source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe, 00000000.00000003.1996086225.00000000005F5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wextract.pdbe\setup\iexpress\wextract\obj\i386\wextract.pdbU source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source:	Binary string: e\setup\iexpress\wextract\obj\i386\wextract.pdb source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_2_00405BCC FindFirstFileW,GetLastError,FindNextFileW,GetLastError,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,	0_2_00405BCC
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_2_0040AE53 SendDlgItemMessageA,DestroyIcon,EndDialog,SetDlgItemTextA,SetDlgItemTextA,SHGetFileInfoA,SendDlgItemMessageA,FindFirstFileA,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatA,GetDateFormatA,wsprintfA,wsprintfA,SetDlgItemTextA,FindClose,wsprintfA,SetDlgItemTextA,SendDlgItemMessageA,DosDateTimeToFileTime,FileTimeToSystemTime,GetTimeFormatA,GetDateFormatA,wsprintfA,SetDlgItemTextA,wsprintfA,SetDlgItemTextA,	0_2_0040AE53
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_00419B19 __EH_prolog,GetTempPathA,FindFirstFileA,CompareFileTime,DeleteFileA,FindNextFileA,FindClose,	2_2_00419B19
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0044E9EC __EH_prolog,CreateEventA,GetProcAddress,SearchPathA,GetModuleFileNameA,FindFirstFileA,VirtualProtect,VirtualQuery,VirtualProtect,VirtualProtect,FindClose,FindClose,	2_2_0044E9EC
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_00443DA4 __EH_prolog,FindFirstFileA,FindNextFileA,FindClose,	2_2_00443DA4

Source: MIDAS.DLL.4.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: WRPLOT_View.exe.4.dr	String found in binary or memory: http://earth.google.com/kml/2.0
Source: MIDAS.DLL.4.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: MIDAS.DLL.4.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: MIDAS.DLL.4.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: MIDAS.DLL.4.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: WRPLOT_View.exe.4.dr	String found in binary or memory: http://tux.lakes-environmental.com/support/kb_WRPlotView/U
Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe, Lakes Environmental WRPLOT View - Freeware V.8.0.2.MSI.0.dr	String found in binary or memory: http://www.acresso.com0
Source: WRPLOT_View.exe.4.dr	String found in binary or memory: http://www.lakes-environmental.comU
Source: WRPLOT_View.exe.4.dr	String found in binary or memory: http://www.turbopower.com
Source: WRPLOT_View.exe.4.dr	String found in binary or memory: http://www.webLakes.com
Source: WRPLOT_View.exe.4.dr	String found in binary or memory: http://www.webLakes.com/kb/FreewareKB
Source: WRPLOT_View.exe.4.dr	String found in binary or memory: http://www.webLakes.com/kb/FreewareKBU
Source: WRPLOT_View.exe.4.dr	String found in binary or memory: http://www.webLakes.com/products/wrplot/index.html
Source: WRPLOT_View.exe.4.dr	String found in binary or memory: http://www.weblakes.com
Source: WRPLOT_View.exe.4.dr	String found in binary or memory: http://www.weblakes.com/images/Lakes_Logo_Google.gif
Source: WRPLOT_View.exe.4.dr	String found in binary or memory: http://www.weblakes.com/lakereg.htmlU
Source: WRPLOT_View.exe.4.dr	String found in binary or memory: http://www.weblakes.com/services/met_order.htmlU
Source: WRPLOT_View.exe.4.dr	String found in binary or memory: http://www.weblakes.com/support/knowledgebase.htmlU
Source: WRPLOT_View.exe.4.dr	String found in binary or memory: http://www.webmet.comU

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0040E277 __EH_prolog,ExitWindowsEx,		2_2_0040E277
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_004308F1 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,		2_2_004308F1

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\49a8c0.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{629C1CB5-295E-4B37-93AF-CFC787793E55}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAB50.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\libxl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\MIDAS.DLL	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\pegrp32d.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{629C1CB5-295E-4B37-93AF-CFC787793E55}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{629C1CB5-295E-4B37-93AF-CFC787793E55}\ARPPRODUCTICON.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{629C1CB5-295E-4B37-93AF-CFC787793E55}\NewShortcut1_3EB8554C0E2944268585DB2A665787FC.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{629C1CB5-295E-4B37-93AF-CFC787793E55}\NewShortcut2_6E47537717D44A78B035A8BD71F50183.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\49a8c2.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\49a8c2.msi	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\49a8c2.msi

Detected potential crypto function

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_2_00401313	0_2_00401313
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_2_00402C81	0_2_00402C81
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_2_0040D4BB	0_2_0040D4BB
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_2_0040995E	0_2_0040995E
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_2_00410D74	0_2_00410D74
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_2_00407DCA	0_2_00407DCA
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_2_00409D9C	0_2_00409D9C
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_2_00409AF2	0_2_00409AF2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0045C2F0	2_2_0045C2F0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_004503F0	2_2_004503F0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_00460560	2_2_00460560
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0045E600	2_2_0045E600
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0045C910	2_2_0045C910
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_00460A80	2_2_00460A80
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0045ADC0	2_2_0045ADC0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_00460F10	2_2_00460F10
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0045D024	2_2_0045D024
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0045D292	2_2_0045D292
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0045F8A0	2_2_0045F8A0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0041396E	2_2_0041396E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0043999B	2_2_0043999B
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_00435AC0	2_2_00435AC0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0045BD40	2_2_0045BD40
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_00441D8E	2_2_00441D8E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0045FED0	2_2_0045FED0

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: String function: 00402DBC appears 48 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: String function: 004086B0 appears 41 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: String function: 004341AC appears 537 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: String function: 00401A6D appears 109 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: String function: 004010C6 appears 52 times

PE file contains executable resources (Code or Archives)

Source: instmsia.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 1640527 bytes, 16 files, at 0x2c +A "msi.dll" +A "msiexec.exe", ID 16758, number 1, 169 datablocks, 0x1503 compression
Source: instmsiw.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 1755094 bytes, 20 files, at 0x2c +A "msiexec.exe" +A "msihnd.dll", ID 20641, number 1, 171 datablocks, 0x1503 compression

PE file contains more sections than normal

Source: WRPLOT_View.exe.4.dr

Static PE information: Number of sections : 11 > 10

Sample file is different than original file name gathered from version info

Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe, 00000000.00000003.2378112145.0000000000619000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetup.exe ] vs Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe, 00000000.00000002.2380628199.0000000000619000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetup.exe ] vs Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe, 00000000.00000003.1995424371.0000000000600000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameISRegSvr.dll vs Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe, 00000000.00000003.2379924782.0000000000619000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetup.exe ] vs Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe, 00000000.00000003.1996086225.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetup.exe vs Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Binary or memory string: OriginalFilenameMsi.dll,MsiHnd.dll,MsiExec.exeD vs Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Binary or memory string: OriginalFilenameMsi.dll,MsiHnd.dll,MsiExec.exeX vs Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Binary or memory string: OriginalFilenameSetAllUsers.dll< vs Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Binary or memory string: OriginalFilenameISRegSvr.dll vs Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Binary or memory string: OriginalFilenameSetup.exe vs Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: instmsiw.exe.0.dr

Static PE information: Section: .rsrc ZLIB complexity 0.988773464470656

Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe, WRPLOT_View.chm.4.dr, Data1.cab.0.dr

Binary or memory string: .SLNDA+

Source: classification engine

Classification label: clean6.winEXE@8/51@0/0

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_2_00403466 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,LookupPrivilegeValueA,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,		0_2_00403466
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_004308F1 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,		2_2_004308F1

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe

Code function: 2_2_0042FD74 LoadLibraryA,GetProcAddress,lstrcpyA,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,FreeLibrary,

2_2_0042FD74

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Code function: 0_2_0040A979 OleInitialize,CoCreateInstance,MultiByteToWideChar,OleUninitialize,

0_2_0040A979

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Code function: 0_2_0040966B GetModuleHandleA,FindResourceA,

0_2_0040966B

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\Lakes

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\Public\Desktop\Lakes Environmental

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0

Source: Yara match

File source: C:\Program Files (x86)\Lakes\WRPLOT View\WRPLOT_View.exe, type: DROPPED

Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

File read: C:\Windows\win.ini

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

File read: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Source: unknown	Process created: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe "C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe"
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe" /w
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Process created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i "C:\Users\user\AppData\Local\Temp\RarSFX0\Lakes Environmental WRPLOT View - Freeware V.8.0.2.msi" SETUPEXEDIR="C:\Users\user\AppData\Local\Temp\RarSFX0" SETUPEXENAME="setup.exe"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A4B11C33E9E2E1AF2F89D4D9B1371E6B C
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe" /w	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Process created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i "C:\Users\user\AppData\Local\Temp\RarSFX0\Lakes Environmental WRPLOT View - Freeware V.8.0.2.msi" SETUPEXEDIR="C:\Users\user\AppData\Local\Temp\RarSFX0" SETUPEXENAME="setup.exe"	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A4B11C33E9E2E1AF2F89D4D9B1371E6B C	Jump to behavior

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Source: WRPLOT View - Freeware.lnk.4.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\Lakes\WRPLOT View\WRPLOT_View.exe
Source: WRPLOT View - Freeware.lnk0.4.dr	LNK file: ..\..\..\..\Program Files (x86)\Lakes\WRPLOT View\WRPLOT_View.exe

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

File written: C:\Users\user\AppData\Local\Temp\RarSFX0\0x0409.ini

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Window found: window name: RichEdit

Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: I accept the terms in the license agreement
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Install

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Contains functionality to dynamically determine API calls

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Static file information: File size 21640831 > 1048576

Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wextract.pdb source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source:	Binary string: C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup___Win32_Release\setup.pdb source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source:	Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb0#AD#A source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source:	Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source:	Binary string: C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup___Win32_Release\setup.pdba source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe, 00000000.00000003.1996086225.00000000005F5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wextract.pdbe\setup\iexpress\wextract\obj\i386\wextract.pdbU source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source:	Binary string: e\setup\iexpress\wextract\obj\i386\wextract.pdb source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Code function: 0_2_00411585 LoadLibraryA,LoadLibraryA,LoadLibraryA,#17,LoadLibraryA,GetProcAddress,FreeLibrary,SHGetMalloc,

File is packed with WinRar

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_4797015

PE file contains sections with non-standard names

Source: WRPLOT_View.exe.4.dr	Static PE information: section name: .didata
Source: gdiplus.dll.4.dr	Static PE information: section name: Shared

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_3_005BF578 pushad ; ret	0_3_005BF579
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_3_005BF578 pushad ; ret	0_3_005BF579
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_3_005BB6F0 pushad ; retf	0_3_005BB6F1
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_3_005BB6F0 pushad ; retf	0_3_005BB6F1
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_3_005BCFA3 pushad ; retf	0_3_005BD12D
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_3_005BCFA3 pushad ; retf	0_3_005BD12D
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_3_005BF578 pushad ; ret	0_3_005BF579
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_3_005BF578 pushad ; ret	0_3_005BF579
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_3_005BB6F0 pushad ; retf	0_3_005BB6F1
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_3_005BB6F0 pushad ; retf	0_3_005BB6F1
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_3_005BCFA3 pushad ; retf	0_3_005BD12D
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_3_005BCFA3 pushad ; retf	0_3_005BD12D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_004341AC push eax; ret	2_2_004341CA
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_004349D0 push eax; ret	2_2_004349FE

Source: gdiplus.dll.4.dr

Static PE information: section name: .text entropy: 6.8196811563189135

Drops PE files

Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI4C67.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{629C1CB5-295E-4B37-93AF-CFC787793E55}\NewShortcut2_6E47537717D44A78B035A8BD71F50183.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\libxl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\instmsiw.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{629C1CB5-295E-4B37-93AF-CFC787793E55}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\pegrp32d.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\instmsia.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Lakes\WRPLOT View\WRPLOT_View.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\gdiplus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\MIDAS.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{629C1CB5-295E-4B37-93AF-CFC787793E55}\NewShortcut1_3EB8554C0E2944268585DB2A665787FC.exe	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{629C1CB5-295E-4B37-93AF-CFC787793E55}\NewShortcut2_6E47537717D44A78B035A8BD71F50183.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\libxl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{629C1CB5-295E-4B37-93AF-CFC787793E55}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\pegrp32d.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\MIDAS.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{629C1CB5-295E-4B37-93AF-CFC787793E55}\NewShortcut1_3EB8554C0E2944268585DB2A665787FC.exe	Jump to dropped file

Stores files to the Windows start menu directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lakes Environmental			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lakes Environmental\WRPLOT View - Freeware.lnk			Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe

Code function: 2_2_0044E7E0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_0044E7E0

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{629C1CB5-295E-4B37-93AF-CFC787793E55}\NewShortcut2_6E47537717D44A78B035A8BD71F50183.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4C67.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\libxl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\instmsiw.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{629C1CB5-295E-4B37-93AF-CFC787793E55}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\pegrp32d.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\instmsia.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Lakes\WRPLOT View\WRPLOT_View.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\gdiplus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\MIDAS.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{629C1CB5-295E-4B37-93AF-CFC787793E55}\NewShortcut1_3EB8554C0E2944268585DB2A665787FC.exe	Jump to dropped file

Found evaded block containing many API calls

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Evaded block: after key decision

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_2_00405BCC FindFirstFileW,GetLastError,FindNextFileW,GetLastError,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,	0_2_00405BCC
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_2_0040AE53 SendDlgItemMessageA,DestroyIcon,EndDialog,SetDlgItemTextA,SetDlgItemTextA,SHGetFileInfoA,SendDlgItemMessageA,FindFirstFileA,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatA,GetDateFormatA,wsprintfA,wsprintfA,SetDlgItemTextA,FindClose,wsprintfA,SetDlgItemTextA,SendDlgItemMessageA,DosDateTimeToFileTime,FileTimeToSystemTime,GetTimeFormatA,GetDateFormatA,wsprintfA,SetDlgItemTextA,wsprintfA,SetDlgItemTextA,	0_2_0040AE53
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_00419B19 __EH_prolog,GetTempPathA,FindFirstFileA,CompareFileTime,DeleteFileA,FindNextFileA,FindClose,	2_2_00419B19
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0044E9EC __EH_prolog,CreateEventA,GetProcAddress,SearchPathA,GetModuleFileNameA,FindFirstFileA,VirtualProtect,VirtualQuery,VirtualProtect,VirtualProtect,FindClose,FindClose,	2_2_0044E9EC
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_00443DA4 __EH_prolog,FindFirstFileA,FindNextFileA,FindClose,	2_2_00443DA4

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe

Code function: 2_2_0042E080 __EH_prolog,VirtualQuery,GetSystemInfo,MapViewOfFile,UnmapViewOfFile,

2_2_0042E080

Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe, 00000000.00000003.2378112145.00000000005E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe, 00000000.00000003.2378112145.00000000005E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Code function: 0_2_00411585 LoadLibraryA,LoadLibraryA,LoadLibraryA,#17,LoadLibraryA,GetProcAddress,FreeLibrary,SHGetMalloc,

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Code function: 0_2_0040A1C1 GetProcessHeap,RtlFreeHeap,

0_2_0040A1C1

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0043BACD SetUnhandledExceptionFilter,		2_2_0043BACD
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0043BABB SetUnhandledExceptionFilter,		2_2_0043BABB

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe" /w

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe

Code function: 2_2_0042BB71 __EH_prolog,InitializeSecurityDescriptor,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,SetSecurityDescriptorDacl,CoInitializeSecurity,LocalFree,LocalFree,

2_2_0042BB71

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe

Code function: 2_2_004309C6 GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,

2_2_004309C6

Source: setup.exe, setup.exe, 00000002.00000002.2377120184.000000000047B000.00000008.00000001.01000000.00000007.sdmp, setup.exe, 00000002.00000000.1998461429.000000000047B000.00000008.00000001.01000000.00000007.sdmp, Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Binary or memory string: Shell_TrayWnd
Source: setup.exe, 00000002.00000002.2377120184.000000000047B000.00000008.00000001.01000000.00000007.sdmp, setup.exe, 00000002.00000000.1998461429.000000000047B000.00000008.00000001.01000000.00000007.sdmp, Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Binary or memory string: %sSetupLogFileNameSoftware\InstallShield\ISWI\7.0\SetupExeLog /z/verbose %IS_V%verboseISSetupSoftware\Microsoft\Windows\CurrentVersion\Run/uninstuninst%IS_T%tempdisk1folder/SMS/sSMS/rremoveasmajorupgraderebootrunfromtemprunas/removeonlyremoveonly/noscript_uninstnoscript_uninst/m1/m2/m/jdefaultinstance=hide_splashhide_progress/f2/fSoftware\Microsoft\Windows\CurrentVersion%IS_E%}embed{/ddebuglog/a/autoauto%s%dkeyLanguagescountShell_TrayWndSplashTimeTahomaCancel%x,ALLCANCELDescriptionTitleMSlovenianBasquedefault%#04x0x0409.ini

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: GetLocaleInfoA,	0_2_0040A828
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: GetLocaleInfoA,	2_2_00430B49
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: GetLocaleInfoA,TranslateCharsetInfo,	2_2_00430AEC
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: GetLocaleInfoA,IsValidCodePage,IsValidLocale,	2_2_0043EC7A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: EnumSystemLocalesA,	2_2_0043EE4F
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,	2_2_00442E54
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,	2_2_00442F67
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: GetLocaleInfoA,MultiByteToWideChar,	2_2_00442F11
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: GetLocaleInfoW,WideCharToMultiByte,	2_2_0044302A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: EnumSystemLocalesA,	2_2_0043F0DA
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: EnumSystemLocalesA,	2_2_0043F1ED
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: GetLocaleInfoA,	2_2_0043F3E1

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Code function: 0_2_0040E0E1 GetSystemTime,SystemTimeToFileTime,

0_2_0040E0E1

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Code function: 0_2_0040681C lstrlenA,GlobalAlloc,GetVersionExA,MultiByteToWideChar,WideCharToMultiByte,CreateStreamOnHGlobal,

0_2_0040681C

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Checks for available system drives (often done to infect USB drives)

Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: wextract.pdb source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source:	Binary string: C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup___Win32_Release\setup.pdb source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source:	Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb0#AD#A source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source:	Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source:	Binary string: C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup___Win32_Release\setup.pdba source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe, 00000000.00000003.1996086225.00000000005F5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wextract.pdbe\setup\iexpress\wextract\obj\i386\wextract.pdbU source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source:	Binary string: e\setup\iexpress\wextract\obj\i386\wextract.pdb source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_2_00405BCC FindFirstFileW,GetLastError,FindNextFileW,GetLastError,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,	0_2_00405BCC
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_2_0040AE53 SendDlgItemMessageA,DestroyIcon,EndDialog,SetDlgItemTextA,SetDlgItemTextA,SHGetFileInfoA,SendDlgItemMessageA,FindFirstFileA,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatA,GetDateFormatA,wsprintfA,wsprintfA,SetDlgItemTextA,FindClose,wsprintfA,SetDlgItemTextA,SendDlgItemMessageA,DosDateTimeToFileTime,FileTimeToSystemTime,GetTimeFormatA,GetDateFormatA,wsprintfA,SetDlgItemTextA,wsprintfA,SetDlgItemTextA,	0_2_0040AE53
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_00419B19 __EH_prolog,GetTempPathA,FindFirstFileA,CompareFileTime,DeleteFileA,FindNextFileA,FindClose,	2_2_00419B19
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0044E9EC __EH_prolog,CreateEventA,GetProcAddress,SearchPathA,GetModuleFileNameA,FindFirstFileA,VirtualProtect,VirtualQuery,VirtualProtect,VirtualProtect,FindClose,FindClose,	2_2_0044E9EC
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_00443DA4 __EH_prolog,FindFirstFileA,FindNextFileA,FindClose,	2_2_00443DA4

Source: MIDAS.DLL.4.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: WRPLOT_View.exe.4.dr	String found in binary or memory: http://earth.google.com/kml/2.0
Source: MIDAS.DLL.4.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: MIDAS.DLL.4.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: MIDAS.DLL.4.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: MIDAS.DLL.4.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: WRPLOT_View.exe.4.dr	String found in binary or memory: http://tux.lakes-environmental.com/support/kb_WRPlotView/U
Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe, Lakes Environmental WRPLOT View - Freeware V.8.0.2.MSI.0.dr	String found in binary or memory: http://www.acresso.com0
Source: WRPLOT_View.exe.4.dr	String found in binary or memory: http://www.lakes-environmental.comU
Source: WRPLOT_View.exe.4.dr	String found in binary or memory: http://www.turbopower.com
Source: WRPLOT_View.exe.4.dr	String found in binary or memory: http://www.webLakes.com
Source: WRPLOT_View.exe.4.dr	String found in binary or memory: http://www.webLakes.com/kb/FreewareKB
Source: WRPLOT_View.exe.4.dr	String found in binary or memory: http://www.webLakes.com/kb/FreewareKBU
Source: WRPLOT_View.exe.4.dr	String found in binary or memory: http://www.webLakes.com/products/wrplot/index.html
Source: WRPLOT_View.exe.4.dr	String found in binary or memory: http://www.weblakes.com
Source: WRPLOT_View.exe.4.dr	String found in binary or memory: http://www.weblakes.com/images/Lakes_Logo_Google.gif
Source: WRPLOT_View.exe.4.dr	String found in binary or memory: http://www.weblakes.com/lakereg.htmlU
Source: WRPLOT_View.exe.4.dr	String found in binary or memory: http://www.weblakes.com/services/met_order.htmlU
Source: WRPLOT_View.exe.4.dr	String found in binary or memory: http://www.weblakes.com/support/knowledgebase.htmlU
Source: WRPLOT_View.exe.4.dr	String found in binary or memory: http://www.webmet.comU

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0040E277 __EH_prolog,ExitWindowsEx,		2_2_0040E277
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_004308F1 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,		2_2_004308F1

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\49a8c0.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{629C1CB5-295E-4B37-93AF-CFC787793E55}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAB50.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\libxl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\MIDAS.DLL	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\pegrp32d.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{629C1CB5-295E-4B37-93AF-CFC787793E55}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{629C1CB5-295E-4B37-93AF-CFC787793E55}\ARPPRODUCTICON.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{629C1CB5-295E-4B37-93AF-CFC787793E55}\NewShortcut1_3EB8554C0E2944268585DB2A665787FC.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{629C1CB5-295E-4B37-93AF-CFC787793E55}\NewShortcut2_6E47537717D44A78B035A8BD71F50183.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\49a8c2.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\49a8c2.msi	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\49a8c2.msi

Detected potential crypto function

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_2_00401313	0_2_00401313
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_2_00402C81	0_2_00402C81
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_2_0040D4BB	0_2_0040D4BB
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_2_0040995E	0_2_0040995E
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_2_00410D74	0_2_00410D74
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_2_00407DCA	0_2_00407DCA
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_2_00409D9C	0_2_00409D9C
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_2_00409AF2	0_2_00409AF2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0045C2F0	2_2_0045C2F0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_004503F0	2_2_004503F0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_00460560	2_2_00460560
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0045E600	2_2_0045E600
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0045C910	2_2_0045C910
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_00460A80	2_2_00460A80
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0045ADC0	2_2_0045ADC0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_00460F10	2_2_00460F10
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0045D024	2_2_0045D024
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0045D292	2_2_0045D292
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0045F8A0	2_2_0045F8A0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0041396E	2_2_0041396E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0043999B	2_2_0043999B
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_00435AC0	2_2_00435AC0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0045BD40	2_2_0045BD40
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_00441D8E	2_2_00441D8E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0045FED0	2_2_0045FED0

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: String function: 00402DBC appears 48 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: String function: 004086B0 appears 41 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: String function: 004341AC appears 537 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: String function: 00401A6D appears 109 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: String function: 004010C6 appears 52 times

PE file contains executable resources (Code or Archives)

Source: instmsia.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 1640527 bytes, 16 files, at 0x2c +A "msi.dll" +A "msiexec.exe", ID 16758, number 1, 169 datablocks, 0x1503 compression
Source: instmsiw.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 1755094 bytes, 20 files, at 0x2c +A "msiexec.exe" +A "msihnd.dll", ID 20641, number 1, 171 datablocks, 0x1503 compression

PE file contains more sections than normal

Source: WRPLOT_View.exe.4.dr

Static PE information: Number of sections : 11 > 10

Sample file is different than original file name gathered from version info

Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe, 00000000.00000003.2378112145.0000000000619000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetup.exe ] vs Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe, 00000000.00000002.2380628199.0000000000619000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetup.exe ] vs Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe, 00000000.00000003.1995424371.0000000000600000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameISRegSvr.dll vs Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe, 00000000.00000003.2379924782.0000000000619000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetup.exe ] vs Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe, 00000000.00000003.1996086225.00000000005F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetup.exe vs Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Binary or memory string: OriginalFilenameMsi.dll,MsiHnd.dll,MsiExec.exeD vs Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Binary or memory string: OriginalFilenameMsi.dll,MsiHnd.dll,MsiExec.exeX vs Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Binary or memory string: OriginalFilenameSetAllUsers.dll< vs Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Binary or memory string: OriginalFilenameISRegSvr.dll vs Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Binary or memory string: OriginalFilenameSetup.exe vs Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: instmsiw.exe.0.dr

Static PE information: Section: .rsrc ZLIB complexity 0.988773464470656

Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe, WRPLOT_View.chm.4.dr, Data1.cab.0.dr

Binary or memory string: .SLNDA+

Source: classification engine

Classification label: clean6.winEXE@8/51@0/0

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_2_00403466 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,LookupPrivilegeValueA,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,		0_2_00403466
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_004308F1 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,		2_2_004308F1

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe

Code function: 2_2_0042FD74 LoadLibraryA,GetProcAddress,lstrcpyA,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,FreeLibrary,

2_2_0042FD74

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Code function: 0_2_0040A979 OleInitialize,CoCreateInstance,MultiByteToWideChar,OleUninitialize,

0_2_0040A979

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Code function: 0_2_0040966B GetModuleHandleA,FindResourceA,

0_2_0040966B

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\Lakes

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\Public\Desktop\Lakes Environmental

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0

Source: Yara match

File source: C:\Program Files (x86)\Lakes\WRPLOT View\WRPLOT_View.exe, type: DROPPED

Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

File read: C:\Windows\win.ini

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

File read: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Source: unknown	Process created: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe "C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe"
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe" /w
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Process created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i "C:\Users\user\AppData\Local\Temp\RarSFX0\Lakes Environmental WRPLOT View - Freeware V.8.0.2.msi" SETUPEXEDIR="C:\Users\user\AppData\Local\Temp\RarSFX0" SETUPEXENAME="setup.exe"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A4B11C33E9E2E1AF2F89D4D9B1371E6B C
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe" /w	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Process created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i "C:\Users\user\AppData\Local\Temp\RarSFX0\Lakes Environmental WRPLOT View - Freeware V.8.0.2.msi" SETUPEXEDIR="C:\Users\user\AppData\Local\Temp\RarSFX0" SETUPEXENAME="setup.exe"	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A4B11C33E9E2E1AF2F89D4D9B1371E6B C	Jump to behavior

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Source: WRPLOT View - Freeware.lnk.4.dr	LNK file: ..\..\..\..\..\..\Program Files (x86)\Lakes\WRPLOT View\WRPLOT_View.exe
Source: WRPLOT View - Freeware.lnk0.4.dr	LNK file: ..\..\..\..\Program Files (x86)\Lakes\WRPLOT View\WRPLOT_View.exe

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

File written: C:\Users\user\AppData\Local\Temp\RarSFX0\0x0409.ini

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Window found: window name: RichEdit

Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: I accept the terms in the license agreement
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Install

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Contains functionality to dynamically determine API calls

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Static file information: File size 21640831 > 1048576

Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wextract.pdb source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source:	Binary string: C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup___Win32_Release\setup.pdb source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source:	Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb0#AD#A source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source:	Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source:	Binary string: C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup___Win32_Release\setup.pdba source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe, 00000000.00000003.1996086225.00000000005F5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wextract.pdbe\setup\iexpress\wextract\obj\i386\wextract.pdbU source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Source:	Binary string: e\setup\iexpress\wextract\obj\i386\wextract.pdb source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Code function: 0_2_00411585 LoadLibraryA,LoadLibraryA,LoadLibraryA,#17,LoadLibraryA,GetProcAddress,FreeLibrary,SHGetMalloc,

File is packed with WinRar

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_4797015

PE file contains sections with non-standard names

Source: WRPLOT_View.exe.4.dr	Static PE information: section name: .didata
Source: gdiplus.dll.4.dr	Static PE information: section name: Shared

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_3_005BF578 pushad ; ret	0_3_005BF579
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_3_005BF578 pushad ; ret	0_3_005BF579
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_3_005BB6F0 pushad ; retf	0_3_005BB6F1
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_3_005BB6F0 pushad ; retf	0_3_005BB6F1
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_3_005BCFA3 pushad ; retf	0_3_005BD12D
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_3_005BCFA3 pushad ; retf	0_3_005BD12D
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_3_005BF578 pushad ; ret	0_3_005BF579
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_3_005BF578 pushad ; ret	0_3_005BF579
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_3_005BB6F0 pushad ; retf	0_3_005BB6F1
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_3_005BB6F0 pushad ; retf	0_3_005BB6F1
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_3_005BCFA3 pushad ; retf	0_3_005BD12D
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_3_005BCFA3 pushad ; retf	0_3_005BD12D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_004341AC push eax; ret	2_2_004341CA
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_004349D0 push eax; ret	2_2_004349FE

Source: gdiplus.dll.4.dr

Static PE information: section name: .text entropy: 6.8196811563189135

Drops PE files

Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI4C67.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{629C1CB5-295E-4B37-93AF-CFC787793E55}\NewShortcut2_6E47537717D44A78B035A8BD71F50183.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\libxl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\instmsiw.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{629C1CB5-295E-4B37-93AF-CFC787793E55}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\pegrp32d.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\instmsia.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Lakes\WRPLOT View\WRPLOT_View.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\gdiplus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\MIDAS.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{629C1CB5-295E-4B37-93AF-CFC787793E55}\NewShortcut1_3EB8554C0E2944268585DB2A665787FC.exe	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{629C1CB5-295E-4B37-93AF-CFC787793E55}\NewShortcut2_6E47537717D44A78B035A8BD71F50183.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\libxl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{629C1CB5-295E-4B37-93AF-CFC787793E55}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\pegrp32d.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\MIDAS.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{629C1CB5-295E-4B37-93AF-CFC787793E55}\NewShortcut1_3EB8554C0E2944268585DB2A665787FC.exe	Jump to dropped file

Stores files to the Windows start menu directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lakes Environmental			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lakes Environmental\WRPLOT View - Freeware.lnk			Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe

2_2_0044E7E0

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{629C1CB5-295E-4B37-93AF-CFC787793E55}\NewShortcut2_6E47537717D44A78B035A8BD71F50183.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4C67.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\libxl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\instmsiw.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{629C1CB5-295E-4B37-93AF-CFC787793E55}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\pegrp32d.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\instmsia.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Lakes\WRPLOT View\WRPLOT_View.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\gdiplus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\MIDAS.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{629C1CB5-295E-4B37-93AF-CFC787793E55}\NewShortcut1_3EB8554C0E2944268585DB2A665787FC.exe	Jump to dropped file

Found evaded block containing many API calls

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Evaded block: after key decision

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_2_00405BCC FindFirstFileW,GetLastError,FindNextFileW,GetLastError,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,	0_2_00405BCC
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Code function: 0_2_0040AE53 SendDlgItemMessageA,DestroyIcon,EndDialog,SetDlgItemTextA,SetDlgItemTextA,SHGetFileInfoA,SendDlgItemMessageA,FindFirstFileA,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatA,GetDateFormatA,wsprintfA,wsprintfA,SetDlgItemTextA,FindClose,wsprintfA,SetDlgItemTextA,SendDlgItemMessageA,DosDateTimeToFileTime,FileTimeToSystemTime,GetTimeFormatA,GetDateFormatA,wsprintfA,SetDlgItemTextA,wsprintfA,SetDlgItemTextA,	0_2_0040AE53
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_00419B19 __EH_prolog,GetTempPathA,FindFirstFileA,CompareFileTime,DeleteFileA,FindNextFileA,FindClose,	2_2_00419B19
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0044E9EC __EH_prolog,CreateEventA,GetProcAddress,SearchPathA,GetModuleFileNameA,FindFirstFileA,VirtualProtect,VirtualQuery,VirtualProtect,VirtualProtect,FindClose,FindClose,	2_2_0044E9EC
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_00443DA4 __EH_prolog,FindFirstFileA,FindNextFileA,FindClose,	2_2_00443DA4

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe

Code function: 2_2_0042E080 __EH_prolog,VirtualQuery,GetSystemInfo,MapViewOfFile,UnmapViewOfFile,

2_2_0042E080

Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe, 00000000.00000003.2378112145.00000000005E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe, 00000000.00000003.2378112145.00000000005E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Code function: 0_2_00411585 LoadLibraryA,LoadLibraryA,LoadLibraryA,#17,LoadLibraryA,GetProcAddress,FreeLibrary,SHGetMalloc,

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Code function: 0_2_0040A1C1 GetProcessHeap,RtlFreeHeap,

0_2_0040A1C1

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0043BACD SetUnhandledExceptionFilter,		2_2_0043BACD
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Code function: 2_2_0043BABB SetUnhandledExceptionFilter,		2_2_0043BABB

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe" /w