Analysis Report Setup.exe

Overview

General Information

Sample Name: Setup.exe
Analysis ID: 358589
MD5: 7b5d30bd9b7cdcca79e189aaaf5707fa
SHA1: 45fe889c3660be692ba30bb6bcdc2b51380c214e
SHA256: a6385ebfc0c6e766e9f068ad348a53e39a18875da5e3759428633984c0b075aa
Infos:

Most interesting Screenshot:

Detection

Score: 24
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Changes security center settings (notifications, updates, antivirus, firewall)
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found evasive API chain (date check)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes

Classification

Compliance:

barindex
Uses 32bit PE files
Source: Setup.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Uses new MSVCR Dlls
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpServer.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll Jump to behavior
Binary contains paths to debug symbols
Source: Binary string: C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup___Win32_Release_Unicode\setup.pdb source: Setup.exe
Source: Binary string: h:\nt.obj.x86fre\base\wcp\tools\msmcustomaction\objfre\i386\msmcustomaction.pdb source: Star4Live_P2P.msi0.0.dr

Spreading:

barindex
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\SysWOW64\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\svchost.exe File opened: c: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_004221BF __EH_prolog3,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW, 0_2_004221BF
Source: MSI1304.tmp.2.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: svchost.exe, 00000019.00000002.470773517.0000029D7CA14000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000019.00000002.470773517.0000029D7CA14000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000019.00000002.470773517.0000029D7CA14000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: MSI1304.tmp.2.dr String found in binary or memory: http://ocsp.thawte.com0
Source: svchost.exe, 00000019.00000002.470491719.0000029D7C980000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000019.00000002.466584853.0000029D7B2A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration/Enumerate
Source: MSI1304.tmp.2.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: MSI1304.tmp.2.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: MSI1304.tmp.2.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: svchost.exe, 0000001F.00000002.310869374.000001DB23613000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: MSI1304.tmp.2.dr String found in binary or memory: http://www.flexerasoftware.com0
Source: Setup.exe String found in binary or memory: http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d
Source: Setup.exe, 00000000.00000002.263650863.000000000088A000.00000004.00000020.sdmp, msiexec.exe, 00000002.00000003.254356751.000000000341F000.00000004.00000001.sdmp String found in binary or memory: http://www.star4live.com
Source: msiexec.exe, 00000002.00000003.212346389.00000000033EC000.00000004.00000001.sdmp String found in binary or memory: http://www.star4live.comi4w
Source: svchost.exe, 0000001C.00000002.466340191.00000268B822A000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000001C.00000002.466340191.00000268B822A000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000001C.00000002.466340191.00000268B822A000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000001F.00000003.309978164.000001DB23660000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000001C.00000002.466340191.00000268B822A000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000001C.00000002.466340191.00000268B822A000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000001F.00000003.310023457.000001DB2364B000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000001F.00000003.309978164.000001DB23660000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000001F.00000002.310932690.000001DB2363E000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000001F.00000003.309978164.000001DB23660000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000001F.00000003.310023457.000001DB2364B000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000001F.00000002.310932690.000001DB2363E000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000001F.00000003.309978164.000001DB23660000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000001F.00000003.309978164.000001DB23660000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000001F.00000003.309978164.000001DB23660000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000001F.00000002.310942420.000001DB23642000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000001F.00000002.310942420.000001DB23642000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000001F.00000003.309978164.000001DB23660000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000001F.00000003.310512253.000001DB23646000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000001F.00000003.310023457.000001DB2364B000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000001F.00000003.310512253.000001DB23646000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000001F.00000003.310512253.000001DB23646000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000001F.00000002.310997843.000001DB23664000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.310942420.000001DB23642000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.310518653.000001DB23641000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000001F.00000003.309978164.000001DB23660000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000001F.00000002.310932690.000001DB2363E000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000001F.00000003.286601390.000001DB23631000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000001F.00000002.310932690.000001DB2363E000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000001F.00000002.310932690.000001DB2363E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.310869374.000001DB23613000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000001F.00000003.310525588.000001DB23645000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000001F.00000003.310525588.000001DB23645000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000001F.00000003.286601390.000001DB23631000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000001F.00000003.286601390.000001DB23631000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000001F.00000003.310023457.000001DB2364B000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

System Summary:

barindex
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_004480D2 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx, 0_2_004480D2
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0042C46B 0_2_0042C46B
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0049BDC0 0_2_0049BDC0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Setup.exe Code function: String function: 00401850 appears 62 times
Source: C:\Users\user\Desktop\Setup.exe Code function: String function: 004674D0 appears 66 times
Source: C:\Users\user\Desktop\Setup.exe Code function: String function: 00409071 appears 44 times
PE file contains strange resources
Source: Setup.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Setup.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Setup.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Uses 32bit PE files
Source: Setup.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: classification engine Classification label: sus24.evad.winEXE@44/20@0/1
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_004480D2 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx, 0_2_004480D2
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_004437CD LoadLibraryW,GetProcAddress,lstrcpyW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,FreeLibrary, 0_2_004437CD
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00417786 FindResourceW,SizeofResource,LoadResource,LockResource, 0_2_00417786
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpServer.exe File created: C:\Program Files (x86)\Star4Live\Star4Live_P2P\log Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Downloaded Installations Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6208:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4084:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6312:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7148:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:2992:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6224:120:WilError_01
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{429B5CB3-339E-483B-9032-CB0DA14F2F9A}\ Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Command line argument: debuglog 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: runfromtemp 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: reboot 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: %s%s 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: tempdisk1folder 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: ISSetup.dll 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: ISSetup.dll 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: Skin 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: Startup 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: setup.isn 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: count 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: Languages 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: key%d 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: Languages 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: %s\0x%04x.ini 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: %s\0x%04x.ini 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: %s\%04x.mst 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: %s\%04x.mst 0_2_0043E4C0
Source: Setup.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "CloudHttpServer.exe")
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "CloudHttpWindowPopup.exe")
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "CloudHttpServer.exe")
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "CloudHttpWindowPopup.exe")
Source: C:\Users\user\Desktop\Setup.exe File read: C:\Users\user\AppData\Local\Temp\{429B5CB3-339E-483B-9032-CB0DA14F2F9A}\Setup.INI Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File read: C:\Users\user\Desktop\Setup.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Setup.exe 'C:\Users\user\Desktop\Setup.exe'
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i 'C:\Users\user\AppData\Local\Downloaded Installations\{877F9BE8-C6E2-462D-9A96-09E42390D002}\Star4Live_P2P.msi' SETUPEXEDIR='C:\Users\user\Desktop' SETUPEXENAME='Setup.exe'
Source: unknown Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C31728C15F7B7E0360F95AF524D72042 C
Source: unknown Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9ADD54B1DEB9106D315583847C272BCA
Source: unknown Process created: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM CloudHttpServer.exe
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpServer.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM CloudHttpWindowPopup.exe
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpWindowPopup.exe
Source: unknown Process created: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpServer.exe C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpServer.exe
Source: unknown Process created: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWindowPopup.exe C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWindowPopup.exe
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM CloudHttpServer.exe
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpServer.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM CloudHttpWindowPopup.exe
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpWindowPopup.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i 'C:\Users\user\AppData\Local\Downloaded Installations\{877F9BE8-C6E2-462D-9A96-09E42390D002}\Star4Live_P2P.msi' SETUPEXEDIR='C:\Users\user\Desktop' SETUPEXENAME='Setup.exe' Jump to behavior
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM CloudHttpServer.exe Jump to behavior
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM CloudHttpWindowPopup.exe Jump to behavior
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe Process created: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpServer.exe C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpServer.exe Jump to behavior
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe Process created: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWindowPopup.exe C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWindowPopup.exe Jump to behavior
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM CloudHttpServer.exe Jump to behavior
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM CloudHttpWindowPopup.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpServer.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpWindowPopup.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpServer.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpWindowPopup.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File written: C:\Users\user\AppData\Local\Temp\{429B5CB3-339E-483B-9032-CB0DA14F2F9A}\Setup.INI Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Install
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Setup.exe Static file information: File size 9610518 > 1048576
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpServer.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll Jump to behavior
Source: Setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup___Win32_Release_Unicode\setup.pdb source: Setup.exe
Source: Binary string: h:\nt.obj.x86fre\base\wcp\tools\msmcustomaction\objfre\i386\msmcustomaction.pdb source: Star4Live_P2P.msi0.0.dr

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0042C46B _memset,_memset,lstrlenW,_memset,wsprintfW,___FUnloadDelayLoadedDLL2@4,LoadLibraryW,GetProcAddress,GetLastError,GetSystemTimeAsFileTime, 0_2_0042C46B
PE file contains an invalid checksum
Source: Setup.exe Static PE information: real checksum: 0x12b0bb should be: 0x92c131
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_004481BD push 590001EBh; ret 0_2_004481C4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 2_2_07E4FAB6 push ds; retn 0000h 2_2_07E4FAB7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 2_2_0840F96E push ds; retn 0000h 2_2_0840F96F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 2_2_0840DDF8 push 00000078h; ret 2_2_0840DDFA

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSI1304.tmp Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpServer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\Setup.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWindowPopup.exe TID: 1540 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6628 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Setup.exe File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_004221BF __EH_prolog3,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW, 0_2_004221BF
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_004404D3 __EH_prolog3,VirtualQuery,GetSystemInfo,MapViewOfFile, 0_2_004404D3
Source: svchost.exe, 00000001.00000002.208069130.00000213E0740000.00000002.00000001.sdmp, msiexec.exe, 00000002.00000002.257719427.0000000005D00000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.275587286.00000210AF660000.00000002.00000001.sdmp, svchost.exe, 0000001C.00000002.468740260.00000268B8F40000.00000002.00000001.sdmp, svchost.exe, 00000022.00000002.300275137.0000022A9D8B0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000019.00000002.470998272.0000029D7CA62000.00000004.00000001.sdmp Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000019.00000002.470937429.0000029D7CA55000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000001B.00000002.466063169.0000016944E02000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000001.00000002.208069130.00000213E0740000.00000002.00000001.sdmp, msiexec.exe, 00000002.00000002.257719427.0000000005D00000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.275587286.00000210AF660000.00000002.00000001.sdmp, svchost.exe, 0000001C.00000002.468740260.00000268B8F40000.00000002.00000001.sdmp, svchost.exe, 00000022.00000002.300275137.0000022A9D8B0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000001.00000002.208069130.00000213E0740000.00000002.00000001.sdmp, msiexec.exe, 00000002.00000002.257719427.0000000005D00000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.275587286.00000210AF660000.00000002.00000001.sdmp, svchost.exe, 0000001C.00000002.468740260.00000268B8F40000.00000002.00000001.sdmp, svchost.exe, 00000022.00000002.300275137.0000022A9D8B0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000019.00000002.466353504.0000029D7B22A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW=
Source: svchost.exe, 0000001B.00000002.466189907.0000016944E28000.00000004.00000001.sdmp, svchost.exe, 0000001C.00000002.466613856.00000268B8266000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000002.466960401.0000022E5A629000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000001.00000002.208069130.00000213E0740000.00000002.00000001.sdmp, msiexec.exe, 00000002.00000002.257719427.0000000005D00000.00000002.00000001.sdmp, svchost.exe, 0000001A.00000002.275587286.00000210AF660000.00000002.00000001.sdmp, svchost.exe, 0000001C.00000002.468740260.00000268B8F40000.00000002.00000001.sdmp, svchost.exe, 00000022.00000002.300275137.0000022A9D8B0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0042C46B _memset,_memset,lstrlenW,_memset,wsprintfW,___FUnloadDelayLoadedDLL2@4,LoadLibraryW,GetProcAddress,GetLastError,GetSystemTimeAsFileTime, 0_2_0042C46B
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00409B54 GetFileSize,GetProcessHeap,GetProcessHeap,HeapAlloc,ReadFile,lstrlenA,__alloca_probe_16,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,ReadFile,GetProcessHeap,HeapFree, 0_2_00409B54
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM CloudHttpServer.exe Jump to behavior
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM CloudHttpWindowPopup.exe Jump to behavior
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM CloudHttpServer.exe Jump to behavior
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM CloudHttpWindowPopup.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpServer.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpWindowPopup.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpServer.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpWindowPopup.exe Jump to behavior
Uses taskkill to terminate processes
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpServer.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpWindowPopup.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpServer.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpWindowPopup.exe Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0043C9DC __EH_prolog3,_memset,_memset,_memset,_memset,_memset,_memset,InitializeSecurityDescriptor,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,SetSecurityDescriptorDacl,CoInitializeSecurity, 0_2_0043C9DC
Source: svchost.exe, 0000001D.00000002.467186237.0000021752460000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: Setup.exe, svchost.exe, 0000001D.00000002.467186237.0000021752460000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: svchost.exe, 0000001D.00000002.467186237.0000021752460000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Setup.exe Binary or memory string: AShell_TrayWndTahoma0x0409NoSuppressRebootKeyDotNetOptionalInstallIfSilentDotNetOptionalSETUPEXENAMESETUPEXEDIRCertKeyCacheFolderCacheRootLocationTypeSuppressWrongOSSuppressReboot
Source: svchost.exe, 0000001D.00000002.467186237.0000021752460000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: Setup.exe Binary or memory string: AShell_TrayWnd

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Setup.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_00480075
Source: C:\Users\user\Desktop\Setup.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_0048000E
Source: C:\Users\user\Desktop\Setup.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 0_2_004800B1
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0042C46B _memset,_memset,lstrlenW,_memset,wsprintfW,___FUnloadDelayLoadedDLL2@4,LoadLibraryW,GetProcAddress,GetLastError,GetSystemTimeAsFileTime, 0_2_0042C46B
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00432AA2 GetVersionExW,GetSystemInfo, 0_2_00432AA2

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000021.00000002.466364627.000001CD8943D000.00000004.00000001.sdmp Binary or memory string: (@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 00000021.00000002.466429130.000001CD89502000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 358589 Sample: Setup.exe Startdate: 25/02/2021 Architecture: WINDOWS Score: 24 6 svchost.exe 2->6         started        9 CloudHttpWin32Server.exe 2->9         started        11 Setup.exe 27 2->11         started        13 12 other processes 2->13 signatures3 49 Changes security center settings (notifications, updates, antivirus, firewall) 6->49 15 cmd.exe 1 9->15         started        17 cmd.exe 1 9->17         started        19 cmd.exe 1 9->19         started        24 3 other processes 9->24 21 msiexec.exe 7 11->21         started        process4 dnsIp5 27 taskkill.exe 1 15->27         started        29 conhost.exe 15->29         started        31 taskkill.exe 1 17->31         started        33 conhost.exe 17->33         started        35 taskkill.exe 1 19->35         started        37 conhost.exe 19->37         started        45 C:\Users\user\AppData\Local\...\MSI1304.tmp, PE32 21->45 dropped 47 127.0.0.1 unknown unknown 24->47 39 taskkill.exe 1 24->39         started        41 conhost.exe 24->41         started        43 2 other processes 24->43 file6 process7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private
IP
127.0.0.1