Analysis Report Setup.exe

Overview

General Information

Sample Name: Setup.exe
Analysis ID: 358589
MD5: 7b5d30bd9b7cdcca79e189aaaf5707fa
SHA1: 45fe889c3660be692ba30bb6bcdc2b51380c214e
SHA256: a6385ebfc0c6e766e9f068ad348a53e39a18875da5e3759428633984c0b075aa
Infos:

Most interesting Screenshot:

Detection

Score: 25
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Changes security center settings (notifications, updates, antivirus, firewall)
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes

Classification

Compliance:

barindex
Uses 32bit PE files
Source: Setup.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Uses new MSVCR Dlls
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpServer.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll
Binary contains paths to debug symbols
Source: Binary string: C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup___Win32_Release_Unicode\setup.pdb source: Setup.exe
Source: Binary string: h:\nt.obj.x86fre\base\wcp\tools\msmcustomaction\objfre\i386\msmcustomaction.pdb source: Star4Live_P2P.msi.2.dr

Spreading:

barindex
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\SysWOW64\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_004221BF __EH_prolog3,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW, 0_2_004221BF
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0045CFFF GetProcAddress,SearchPathW,GetModuleFileNameW,FindFirstFileW,CreateEventW,VirtualProtect,VirtualQuery,VirtualProtect,VirtualProtect, 0_2_0045CFFF
Source: msiexec.exe, 00000009.00000003.261916278.0000000007E54000.00000004.00000001.sdmp, Star4Live_P2P.msi.2.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: svchost.exe, 00000008.00000002.502139929.0000029037C0F000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: msiexec.exe, 00000003.00000002.390037940.0000000005560000.00000004.00000001.sdmp String found in binary or memory: http://csc3-2010-crl.verisign.c
Source: svchost.exe, 00000008.00000002.502139929.0000029037C0F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000008.00000002.502139929.0000029037C0F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: msiexec.exe, 00000009.00000003.261916278.0000000007E54000.00000004.00000001.sdmp, Star4Live_P2P.msi.2.dr String found in binary or memory: http://ocsp.thawte.com0
Source: svchost.exe, 00000008.00000002.501957880.0000029037B50000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: msiexec.exe, 00000009.00000003.261916278.0000000007E54000.00000004.00000001.sdmp, Star4Live_P2P.msi.2.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: msiexec.exe, 00000009.00000003.261916278.0000000007E54000.00000004.00000001.sdmp, Star4Live_P2P.msi.2.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: msiexec.exe, 00000009.00000003.261916278.0000000007E54000.00000004.00000001.sdmp, Star4Live_P2P.msi.2.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: svchost.exe, 00000010.00000002.309337088.000002AC12013000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: msiexec.exe, 00000009.00000003.261916278.0000000007E54000.00000004.00000001.sdmp, Star4Live_P2P.msi.2.dr String found in binary or memory: http://www.flexerasoftware.com0
Source: Setup.exe String found in binary or memory: http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d
Source: Setup.exe, msiexec.exe, 00000009.00000003.370808698.000000000336E000.00000004.00000001.sdmp String found in binary or memory: http://www.star4live.com
Source: msiexec.exe, 00000009.00000003.259756510.0000000003335000.00000004.00000001.sdmp String found in binary or memory: http://www.star4live.com:
Source: msiexec.exe, 00000009.00000003.259987657.000000000332C000.00000004.00000001.sdmp String found in binary or memory: http://www.star4live.come
Source: Setup.exe, 00000002.00000003.219207709.00000000007DC000.00000004.00000001.sdmp String found in binary or memory: http://www.star4live.comyw
Source: svchost.exe, 0000000D.00000002.493725245.000002809F244000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000D.00000002.493725245.000002809F244000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000D.00000002.493725245.000002809F244000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000010.00000003.308944817.000002AC1205F000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000D.00000002.493725245.000002809F244000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000D.00000002.493725245.000002809F244000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000010.00000003.308983808.000002AC1205A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000010.00000003.308944817.000002AC1205F000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000010.00000002.309367137.000002AC1203D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000010.00000003.308944817.000002AC1205F000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000010.00000003.308952020.000002AC12048000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000010.00000003.308944817.000002AC1205F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000010.00000002.309367137.000002AC1203D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000010.00000003.308944817.000002AC1205F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000010.00000003.308944817.000002AC1205F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000010.00000003.308944817.000002AC1205F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000010.00000002.309374536.000002AC12042000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.309069811.000002AC12040000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000010.00000002.309374536.000002AC12042000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000010.00000003.308944817.000002AC1205F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000010.00000002.309395052.000002AC1205C000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.309069811.000002AC12040000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000010.00000003.308983808.000002AC1205A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000010.00000002.309395052.000002AC1205C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000010.00000002.309395052.000002AC1205C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000010.00000003.308952020.000002AC12048000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.309374536.000002AC12042000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000010.00000003.308944817.000002AC1205F000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000010.00000002.309367137.000002AC1203D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000010.00000003.287172571.000002AC12032000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000010.00000002.309367137.000002AC1203D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000010.00000002.309337088.000002AC12013000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.309367137.000002AC1203D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000010.00000003.309059603.000002AC12045000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000010.00000003.309059603.000002AC12045000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000010.00000003.287172571.000002AC12032000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000010.00000002.309360074.000002AC1203B000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000010.00000003.308952020.000002AC12048000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

System Summary:

barindex
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_004480D2 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx, 0_2_004480D2
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0042C46B 0_2_0042C46B
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0049BDC0 0_2_0049BDC0
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0048C43E 0_2_0048C43E
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0046C67B 0_2_0046C67B
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_004606CF 0_2_004606CF
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0048874C 0_2_0048874C
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0049C7EC 0_2_0049C7EC
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0046CB50 0_2_0046CB50
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00478C6D 0_2_00478C6D
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0046CF24 0_2_0046CF24
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00499140 0_2_00499140
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0046D330 0_2_0046D330
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0046D750 0_2_0046D750
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00479A8E 0_2_00479A8E
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00475D76 0_2_00475D76
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00479D09 0_2_00479D09
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00475F74 0_2_00475F74
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0047A00E 0_2_0047A00E
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0048E7C3 0_2_0048E7C3
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_004967A0 0_2_004967A0
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0047ABE4 0_2_0047ABE4
Source: C:\Users\user\Desktop\Setup.exe Code function: 2_3_007711A1 2_3_007711A1
Source: C:\Users\user\Desktop\Setup.exe Code function: 2_3_0077132F 2_3_0077132F
Source: C:\Users\user\Desktop\Setup.exe Code function: 2_2_0227D700 2_2_0227D700
Source: C:\Users\user\Desktop\Setup.exe Code function: 2_3_00771645 2_3_00771645
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Setup.exe Code function: String function: 00466D2B appears 52 times
Source: C:\Users\user\Desktop\Setup.exe Code function: String function: 0047854F appears 37 times
Source: C:\Users\user\Desktop\Setup.exe Code function: String function: 00467539 appears 70 times
Source: C:\Users\user\Desktop\Setup.exe Code function: String function: 00401850 appears 153 times
Source: C:\Users\user\Desktop\Setup.exe Code function: String function: 00467503 appears 54 times
Source: C:\Users\user\Desktop\Setup.exe Code function: String function: 00409071 appears 109 times
Source: C:\Users\user\Desktop\Setup.exe Code function: String function: 004674D0 appears 538 times
Source: C:\Users\user\Desktop\Setup.exe Code function: String function: 0046A4AC appears 60 times
PE file contains strange resources
Source: Setup.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Setup.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Setup.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Setup.exe, 00000002.00000002.440216351.0000000003AB0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Setup.exe
Source: Setup.exe, 00000002.00000002.440985276.0000000004B90000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamempr.dll.muij% vs Setup.exe
Source: Setup.exe, 00000002.00000002.440961544.0000000004B60000.00000002.00000001.sdmp Binary or memory string: originalfilename vs Setup.exe
Source: Setup.exe, 00000002.00000002.440961544.0000000004B60000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Setup.exe
Source: Setup.exe, 00000002.00000002.440704372.0000000004A60000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs Setup.exe
Source: Setup.exe, 00000002.00000002.440618070.0000000004790000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWindows.Storage.dll.MUIj% vs Setup.exe
Source: Setup.exe, 00000002.00000002.440490177.0000000004560000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs Setup.exe
Source: Setup.exe, 00000004.00000002.477185718.0000000004480000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs Setup.exe
Source: Setup.exe, 00000004.00000002.477081557.0000000004420000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs Setup.exe
Source: Setup.exe, 00000004.00000002.476893767.0000000003BC0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs Setup.exe
Source: Setup.exe, 00000004.00000002.476893767.0000000003BC0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Setup.exe
Source: Setup.exe, 00000004.00000002.476711345.0000000003AB0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Setup.exe
Source: Setup.exe, 00000004.00000002.477336968.0000000004670000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamempr.dll.muij% vs Setup.exe
Source: Setup.exe, 00000004.00000002.477479643.0000000004A70000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs Setup.exe
Source: Setup.exe, 00000004.00000002.477315032.0000000004660000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWindows.Storage.dll.MUIj% vs Setup.exe
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll
Uses 32bit PE files
Source: Setup.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: classification engine Classification label: sus25.evad.winEXE@52/41@0/1
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_004480D2 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx, 0_2_004480D2
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_004437CD LoadLibraryW,GetProcAddress,lstrcpyW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,FreeLibrary, 0_2_004437CD
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00449328 __EH_prolog3,GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,CoCreateInstance, 0_2_00449328
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00417786 FindResourceW,SizeofResource,LoadResource,LockResource, 0_2_00417786
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpServer.exe File created: C:\Program Files (x86)\Star4Live\Star4Live_P2P\log
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Downloaded Installations Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5904:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3236:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5148:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6968:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1636:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7112:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4660:120:WilError_01
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{87B4B6A8-70D2-4440-A989-3BFB21701630}\ Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Command line argument: debuglog 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: runfromtemp 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: reboot 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: %s%s 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: tempdisk1folder 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: ISSetup.dll 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: ISSetup.dll 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: Skin 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: Startup 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: setup.isn 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: count 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: Languages 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: key%d 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: Languages 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: %s\0x%04x.ini 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: %s\0x%04x.ini 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: %s\%04x.mst 0_2_0043E4C0
Source: C:\Users\user\Desktop\Setup.exe Command line argument: %s\%04x.mst 0_2_0043E4C0
Source: Setup.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "CloudHttpServer.exe")
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "CloudHttpWindowPopup.exe")
Source: C:\Users\user\Desktop\Setup.exe File read: C:\Users\user\AppData\Local\Temp\{87B4B6A8-70D2-4440-A989-3BFB21701630}\Setup.INI Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Setup.exe, 00000004.00000003.393931397.00000000007BB000.00000004.00000001.sdmp Binary or memory string: Select the language for this installation from the choices below.M;V
Source: Setup.exe, 00000002.00000003.222364874.00000000007E8000.00000004.00000001.sdmp Binary or memory string: Select the language for the installation from the choices below.ue?;Gy
Source: Setup.exe, 00000004.00000003.394116684.00000000007B7000.00000004.00000001.sdmp Binary or memory string: Select the language for the installation from the choices below.M;V
Source: Setup.exe String found in binary or memory: /install
Source: Setup.exe String found in binary or memory: "C:\Users\user\Desktop\Setup.exe" /install
Source: Setup.exe String found in binary or memory: /load
Source: C:\Users\user\Desktop\Setup.exe File read: C:\Users\user\Desktop\Setup.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Setup.exe 'C:\Users\user\Desktop\Setup.exe' -install
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Users\user\Desktop\Setup.exe 'C:\Users\user\Desktop\Setup.exe' /install
Source: unknown Process created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i 'C:\Users\user\AppData\Local\Downloaded Installations\{877F9BE8-C6E2-462D-9A96-09E42390D002}\Star4Live_P2P.msi' SETUPEXEDIR='C:\Users\user\Desktop' SETUPEXENAME='Setup.exe'
Source: unknown Process created: C:\Users\user\Desktop\Setup.exe 'C:\Users\user\Desktop\Setup.exe' /load
Source: unknown Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9E242D63C6C5D5E231BB9EB11245C520 C
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i 'Star4Live_P2P.msi' SETUPEXEDIR='C:\Users\user\Desktop' SETUPEXENAME='Setup.exe'
Source: unknown Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 473428559025B542E3E2396586915966 C
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D1843EBFEE2228D346DEF5F3B9D57C7D
Source: unknown Process created: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM CloudHttpServer.exe
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpServer.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM CloudHttpWindowPopup.exe
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpWindowPopup.exe
Source: unknown Process created: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpServer.exe C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpServer.exe
Source: unknown Process created: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWindowPopup.exe C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWindowPopup.exe
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWindowPopup.exe C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWindowPopup.exe
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWindowPopup.exe C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWindowPopup.exe
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWindowPopup.exe C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWindowPopup.exe
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i 'C:\Users\user\AppData\Local\Downloaded Installations\{877F9BE8-C6E2-462D-9A96-09E42390D002}\Star4Live_P2P.msi' SETUPEXEDIR='C:\Users\user\Desktop' SETUPEXENAME='Setup.exe' Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i 'Star4Live_P2P.msi' SETUPEXEDIR='C:\Users\user\Desktop' SETUPEXENAME='Setup.exe' Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM CloudHttpServer.exe
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM CloudHttpWindowPopup.exe
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe Process created: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpServer.exe C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpServer.exe
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe Process created: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWindowPopup.exe C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWindowPopup.exe
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe Process created: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWindowPopup.exe C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWindowPopup.exe
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe Process created: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWindowPopup.exe C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWindowPopup.exe
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe Process created: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWindowPopup.exe C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWindowPopup.exe
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpServer.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpWindowPopup.exe
Source: C:\Users\user\Desktop\Setup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File written: C:\Users\user\AppData\Local\Temp\{87B4B6A8-70D2-4440-A989-3BFB21701630}\Setup.INI Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Automated click: OK
Source: C:\Users\user\Desktop\Setup.exe Automated click: OK
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Install
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Install
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: OK
Source: C:\Users\user\Desktop\Setup.exe Automated click: OK
Source: C:\Users\user\Desktop\Setup.exe Automated click: OK
Source: C:\Users\user\Desktop\Setup.exe Automated click: OK
Source: C:\Users\user\Desktop\Setup.exe Automated click: OK
Source: C:\Users\user\Desktop\Setup.exe Automated click: OK
Source: C:\Users\user\Desktop\Setup.exe Automated click: OK
Source: C:\Users\user\Desktop\Setup.exe Automated click: OK
Source: C:\Users\user\Desktop\Setup.exe Automated click: OK
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Install
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: Install
Source: C:\Windows\SysWOW64\msiexec.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Setup.exe Static file information: File size 9610518 > 1048576
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpServer.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll
Source: Setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup___Win32_Release_Unicode\setup.pdb source: Setup.exe
Source: Binary string: h:\nt.obj.x86fre\base\wcp\tools\msmcustomaction\objfre\i386\msmcustomaction.pdb source: Star4Live_P2P.msi.2.dr

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0042C46B _memset,_memset,lstrlenW,_memset,wsprintfW,___FUnloadDelayLoadedDLL2@4,LoadLibraryW,GetProcAddress,GetLastError,GetSystemTimeAsFileTime, 0_2_0042C46B
PE file contains an invalid checksum
Source: Setup.exe Static PE information: real checksum: 0x12b0bb should be: 0x92c131
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_004481BD push 590001EBh; ret 0_2_004481C4
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0046A4F1 push ecx; ret 0_2_0046A504
Source: C:\Users\user\Desktop\Setup.exe Code function: 2_3_0076DB2A push E8006209h; ret 2_3_0076DB3D
Source: C:\Users\user\Desktop\Setup.exe Code function: 2_2_0074CE74 pushfd ; iretd 2_2_0074CE75
Source: C:\Users\user\Desktop\Setup.exe Code function: 2_2_0074CF50 push esp; iretd 2_2_0074CF51
Source: C:\Users\user\Desktop\Setup.exe Code function: 2_2_00754244 push edx; retf 2_2_00754246
Source: C:\Users\user\Desktop\Setup.exe Code function: 2_2_0074CE34 pushad ; iretd 2_2_0074CE39
Source: C:\Users\user\Desktop\Setup.exe Code function: 2_2_0074D734 push 680074C3h; ret 2_2_0074D745
Source: C:\Users\user\Desktop\Setup.exe Code function: 2_2_0074D720 pushfd ; iretd 2_2_0074D731
Source: C:\Users\user\Desktop\Setup.exe Code function: 2_2_00750DF3 push F00074C3h; retf 2_2_00750EB1
Source: C:\Users\user\Desktop\Setup.exe Code function: 2_2_0074D8FB pushad ; iretd 2_2_0074D905
Source: C:\Users\user\Desktop\Setup.exe Code function: 2_2_0075AFD8 push eax; iretd 2_2_0075AFD9
Source: C:\Users\user\Desktop\Setup.exe Code function: 2_2_0074E6CB pushad ; retf 2_2_0074E779
Source: C:\Users\user\Desktop\Setup.exe Code function: 2_2_007551BD push eax; retn 0074h 2_2_007552A9
Source: C:\Users\user\Desktop\Setup.exe Code function: 2_2_0076DB2A push E8006209h; ret 2_2_0076DB3D
Source: C:\Users\user\Desktop\Setup.exe Code function: 4_2_020D9671 push FFFFFFFFh; iretd 4_2_020D969A

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSI7AD6.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSI2FA4.tmp Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00428BED __EH_prolog3,GetTempPathW,CoCreateGuid,CreateDirectoryW,GetPrivateProfileStringW,CreateDirectoryW, 0_2_00428BED

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0045D179 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0045D179
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Setup.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpServer.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\Setup.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\Setup.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 1788 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWindowPopup.exe TID: 6260 Thread sleep time: -120000s >= -30000s
Source: C:\Windows\System32\conhost.exe TID: 1564 Thread sleep count: 39 > 30
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWindowPopup.exe TID: 1260 Thread sleep time: -120000s >= -30000s
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWindowPopup.exe TID: 3596 Thread sleep time: -120000s >= -30000s
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWindowPopup.exe TID: 5140 Thread sleep time: -120000s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Setup.exe File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_004221BF __EH_prolog3,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW, 0_2_004221BF
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0045CFFF GetProcAddress,SearchPathW,GetModuleFileNameW,FindFirstFileW,CreateEventW,VirtualProtect,VirtualQuery,VirtualProtect,VirtualProtect, 0_2_0045CFFF
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_004404D3 __EH_prolog3,VirtualQuery,GetSystemInfo,MapViewOfFile, 0_2_004404D3
Source: svchost.exe, 00000008.00000002.502292527.0000029037C62000.00000004.00000001.sdmp Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000001.00000002.212378572.0000011F65540000.00000002.00000001.sdmp, Setup.exe, 00000002.00000002.440216351.0000000003AB0000.00000002.00000001.sdmp, msiexec.exe, 00000003.00000002.390645671.0000000008180000.00000002.00000001.sdmp, Setup.exe, 00000004.00000002.476711345.0000000003AB0000.00000002.00000001.sdmp, msiexec.exe, 00000009.00000002.432713310.0000000005DE0000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.285220007.0000012B46D40000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.501388499.000002809FF40000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.301516817.0000026241340000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000008.00000002.502250961.0000029037C4A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000C.00000002.493000570.000002A06F802000.00000004.00000001.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000001.00000002.212378572.0000011F65540000.00000002.00000001.sdmp, Setup.exe, 00000002.00000002.440216351.0000000003AB0000.00000002.00000001.sdmp, msiexec.exe, 00000003.00000002.390645671.0000000008180000.00000002.00000001.sdmp, Setup.exe, 00000004.00000002.476711345.0000000003AB0000.00000002.00000001.sdmp, msiexec.exe, 00000009.00000002.432713310.0000000005DE0000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.285220007.0000012B46D40000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.501388499.000002809FF40000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.301516817.0000026241340000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000001.00000002.212378572.0000011F65540000.00000002.00000001.sdmp, Setup.exe, 00000002.00000002.440216351.0000000003AB0000.00000002.00000001.sdmp, msiexec.exe, 00000003.00000002.390645671.0000000008180000.00000002.00000001.sdmp, Setup.exe, 00000004.00000002.476711345.0000000003AB0000.00000002.00000001.sdmp, msiexec.exe, 00000009.00000002.432713310.0000000005DE0000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.285220007.0000012B46D40000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.501388499.000002809FF40000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.301516817.0000026241340000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: CloudHttpWindowPopup.exe, 00000021.00000002.337979422.0000000000817000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=
Source: svchost.exe, 0000000C.00000002.493232316.000002A06F829000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.493725245.000002809F244000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.494136581.0000021B63829000.00000004.00000001.sdmp, CloudHttpWindowPopup.exe, 00000026.00000002.352077851.0000000000DD8000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000001.00000002.212378572.0000011F65540000.00000002.00000001.sdmp, Setup.exe, 00000002.00000002.440216351.0000000003AB0000.00000002.00000001.sdmp, msiexec.exe, 00000003.00000002.390645671.0000000008180000.00000002.00000001.sdmp, Setup.exe, 00000004.00000002.476711345.0000000003AB0000.00000002.00000001.sdmp, msiexec.exe, 00000009.00000002.432713310.0000000005DE0000.00000002.00000001.sdmp, svchost.exe, 0000000B.00000002.285220007.0000012B46D40000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.501388499.000002809FF40000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.301516817.0000026241340000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_004685B4 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_004685B4
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0042C46B _memset,_memset,lstrlenW,_memset,wsprintfW,___FUnloadDelayLoadedDLL2@4,LoadLibraryW,GetProcAddress,GetLastError,GetSystemTimeAsFileTime, 0_2_0042C46B
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00409B54 GetFileSize,GetProcessHeap,GetProcessHeap,HeapAlloc,ReadFile,lstrlenA,__alloca_probe_16,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,ReadFile,GetProcessHeap,HeapFree, 0_2_00409B54
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_004685B4 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_004685B4
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0047D02D SetUnhandledExceptionFilter, 0_2_0047D02D

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM CloudHttpServer.exe
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c taskkill /F /IM CloudHttpWindowPopup.exe
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Star4Live\Star4Live_P2P\CloudHttpWin32Server.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpServer.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpWindowPopup.exe
Uses taskkill to terminate processes
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpServer.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM CloudHttpWindowPopup.exe
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0043C9DC __EH_prolog3,_memset,_memset,_memset,_memset,_memset,_memset,InitializeSecurityDescriptor,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,SetSecurityDescriptorDacl,CoInitializeSecurity, 0_2_0043C9DC
Source: svchost.exe, 0000000E.00000002.493198482.0000025780000000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: Setup.exe, svchost.exe, 0000000E.00000002.493198482.0000025780000000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: svchost.exe, 0000000E.00000002.493198482.0000025780000000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Setup.exe Binary or memory string: AShell_TrayWndTahoma0x0409NoSuppressRebootKeyDotNetOptionalInstallIfSilentDotNetOptionalSETUPEXENAMESETUPEXEDIRCertKeyCacheFolderCacheRootLocationTypeSuppressWrongOSSuppressReboot
Source: svchost.exe, 0000000E.00000002.493198482.0000025780000000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: Setup.exe Binary or memory string: AShell_TrayWnd

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Setup.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_00480075
Source: C:\Users\user\Desktop\Setup.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_0048000E
Source: C:\Users\user\Desktop\Setup.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 0_2_004800B1
Source: C:\Users\user\Desktop\Setup.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 0_2_00470458
Source: C:\Users\user\Desktop\Setup.exe Code function: GetLocaleInfoA, 0_2_0048D68F
Source: C:\Users\user\Desktop\Setup.exe Code function: GetLocaleInfoA, 0_2_0048D923
Source: C:\Users\user\Desktop\Setup.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 0_2_0047D933
Source: C:\Users\user\Desktop\Setup.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement, 0_2_0047DFD4
Source: C:\Users\user\Desktop\Setup.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement, 0_2_0047E25F
Source: C:\Users\user\Desktop\Setup.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 0_2_0047E525
Source: C:\Users\user\Desktop\Setup.exe Code function: GetLocaleInfoW, 0_2_00486BCC
Source: C:\Users\user\Desktop\Setup.exe Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, 0_2_00486BE5
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0042C46B _memset,_memset,lstrlenW,_memset,wsprintfW,___FUnloadDelayLoadedDLL2@4,LoadLibraryW,GetProcAddress,GetLastError,GetSystemTimeAsFileTime, 0_2_0042C46B
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0048CC02 __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 0_2_0048CC02
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00432AA2 GetVersionExW,GetSystemInfo, 0_2_00432AA2

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000012.00000002.494657299.0000019FC8A40000.00000004.00000001.sdmp Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000012.00000002.494722861.0000019FC8B02000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 358589 Sample: Setup.exe Startdate: 25/02/2021 Architecture: WINDOWS Score: 25 6 svchost.exe 2->6         started        9 CloudHttpWin32Server.exe 2->9         started        11 Setup.exe 33 2->11         started        13 15 other processes 2->13 dnsIp3 53 Changes security center settings (notifications, updates, antivirus, firewall) 6->53 16 cmd.exe 9->16         started        18 cmd.exe 9->18         started        20 CloudHttpServer.exe 9->20         started        27 4 other processes 9->27 22 msiexec.exe 7 11->22         started        51 127.0.0.1 unknown unknown 13->51 25 msiexec.exe 7 13->25         started        signatures4 process5 file6 29 conhost.exe 16->29         started        31 taskkill.exe 16->31         started        33 conhost.exe 18->33         started        35 taskkill.exe 18->35         started        37 conhost.exe 20->37         started        47 C:\Users\user\AppData\Local\...\MSI7AD6.tmp, PE32 22->47 dropped 49 C:\Users\user\AppData\Local\...\MSI2FA4.tmp, PE32 25->49 dropped 39 conhost.exe 27->39         started        41 conhost.exe 27->41         started        43 conhost.exe 27->43         started        45 conhost.exe 27->45         started        process7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private
IP
127.0.0.1