Analysis Report SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

Overview

General Information

Sample Name: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe
Analysis ID: 377536
MD5: e1c700344a31aee275b86a0cc5fe707b
SHA1: e1ca62a65559a00eac9096f7b1e0de69d82fd0c8
SHA256: fa07eeabe6dc625c92894a62137f8c2cfb445b8e3daddd19ee3c44c00a84a708
Infos:

Most interesting Screenshot:

Detection

Score: 32
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

PE file has a writeable .text section
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Is looking for software installed on the system
May infect USB drives
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Compliance:

barindex
Uses 32bit PE files
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Static PE information: certificate valid
Source: Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\ISP\setup.pdb source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe
Source: Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\_IsRes2k\0009-English\Debug\_isres_0x0409.pdb source: _is63FD.tmp.1.dr
Source: Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: ISBEW64.exe, 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp, ISBEW64.exe, 00000003.00000002.699468511.00007FF7F3997000.00000002.00020000.sdmp, ISBEW64.exe, 00000004.00000002.700463534.00007FF7F3997000.00000002.00020000.sdmp, ISBEW64.exe, 00000005.00000000.699946688.00007FF7F3997000.00000002.00020000.sdmp, ISBEW64.exe, 00000006.00000002.703456704.00007FF7F3997000.00000002.00020000.sdmp, ISBEW64.exe, 00000007.00000002.934477118.00007FF7F3997000.00000002.00020000.sdmp, ISBEW64.exe, 00000008.00000002.934475084.00007FF7F3997000.00000002.00020000.sdmp

Spreading:

barindex
May infect USB drives
Source: setup.exe, 00000001.00000002.934145303.0000000000917000.00000004.00000020.sdmp Binary or memory string: autorun.inf
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Binary or memory string: [autorun]
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Binary or memory string: autorun.infDisk1\autorun.inf0.0.0.043[autorun]
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Binary or memory string: autorun.infDisk1\autorun.inf0.0.0.043[autorun]
Source: layout.bin.0.dr Binary or memory string: setup.iniautorun.infsetup.bmpsetup.inxISSetup.dll0x0409.inidata1.hdrdata1.cabdata2.cablayout.binsetup.exe
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: 0_2_0042C966 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,DeleteFileW, 0_2_0042C966
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: 0_2_00451BC7 __EH_prolog3_GS,FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,RemoveDirectoryW,__CxxThrowException@8,DeleteFileW, 0_2_00451BC7
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe String found in binary or memory: http://=0x%04x.iniMS
Source: setup.exe, 00000001.00000003.691546035.0000000000975000.00000004.00000001.sdmp, _is5560.tmp.1.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: setup.exe, 00000001.00000002.934145303.0000000000917000.00000004.00000020.sdmp String found in binary or memory: http://deviis4.installshield.com/NetNirvana/
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe String found in binary or memory: http://deviis4.installshield.com/NetNirvana/data2.cabDisk1
Source: setup.exe, 00000001.00000003.691546035.0000000000975000.00000004.00000001.sdmp, _is5560.tmp.1.dr String found in binary or memory: http://ocsp.thawte.com0
Source: setup.exe, 00000001.00000002.948173876.00000000101BB000.00000040.00020000.sdmp, _is5560.tmp.1.dr String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: setup.exe, 00000001.00000002.948173876.00000000101BB000.00000040.00020000.sdmp, _is5560.tmp.1.dr String found in binary or memory: http://s2.symcb.com0
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe String found in binary or memory: http://support.automationdirect.com
Source: setup.exe, 00000001.00000002.934145303.0000000000917000.00000004.00000020.sdmp String found in binary or memory: http://support.automationdirect.com8
Source: setup.exe, 00000001.00000002.948173876.00000000101BB000.00000040.00020000.sdmp, _is5560.tmp.1.dr String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: setup.exe, 00000001.00000002.948173876.00000000101BB000.00000040.00020000.sdmp, _is5560.tmp.1.dr String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: setup.exe, 00000001.00000002.948173876.00000000101BB000.00000040.00020000.sdmp, _is5560.tmp.1.dr String found in binary or memory: http://sv.symcd.com0&
Source: setup.exe, 00000001.00000003.691546035.0000000000975000.00000004.00000001.sdmp, _is5560.tmp.1.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: setup.exe, 00000001.00000003.691546035.0000000000975000.00000004.00000001.sdmp, _is5560.tmp.1.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: setup.exe, 00000001.00000003.691546035.0000000000975000.00000004.00000001.sdmp, _is5560.tmp.1.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: setup.exe, 00000001.00000002.948173876.00000000101BB000.00000040.00020000.sdmp, _is5560.tmp.1.dr String found in binary or memory: http://www.flexerasoftware.com0
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe String found in binary or memory: http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d
Source: setup.exe, 00000001.00000002.948173876.00000000101BB000.00000040.00020000.sdmp, _is5560.tmp.1.dr String found in binary or memory: http://www.symauth.com/cps0(
Source: setup.exe, 00000001.00000002.948173876.00000000101BB000.00000040.00020000.sdmp, _is5560.tmp.1.dr String found in binary or memory: http://www.symauth.com/rpa00
Source: setup.exe, 00000001.00000002.948173876.00000000101BB000.00000040.00020000.sdmp, _is5560.tmp.1.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: setup.exe, 00000001.00000002.948173876.00000000101BB000.00000040.00020000.sdmp, _is5560.tmp.1.dr String found in binary or memory: https://d.symcb.com/rpa0

System Summary:

barindex
PE file has a writeable .text section
Source: ISSetup.dll.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ISSetup.dll.1.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: 0_2_00447C87 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx, 0_2_00447C87
Detected potential crypto function
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: 0_2_00493630 0_2_00493630
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: 0_2_0045E9CF 0_2_0045E9CF
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: 0_2_00490B40 0_2_00490B40
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: 0_2_00475CA1 0_2_00475CA1
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: 0_2_0044ECB8 0_2_0044ECB8
Source: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe Code function: 2_2_00007FF7F398CC64 2_2_00007FF7F398CC64
Source: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe Code function: 2_2_00007FF7F3981AD0 2_2_00007FF7F3981AD0
Source: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe Code function: 2_2_00007FF7F398FCE4 2_2_00007FF7F398FCE4
Source: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe Code function: 2_2_00007FF7F39942FC 2_2_00007FF7F39942FC
Source: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe Code function: 2_2_00007FF7F398D308 2_2_00007FF7F398D308
Source: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe Code function: 2_2_00007FF7F3984230 2_2_00007FF7F3984230
Source: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe Code function: 2_2_00007FF7F3984E10 2_2_00007FF7F3984E10
Source: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe Code function: 2_2_00007FF7F398F11C 2_2_00007FF7F398F11C
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: String function: 004091B8 appears 84 times
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: String function: 0045B8C9 appears 169 times
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: String function: 00459F9F appears 57 times
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: String function: 0045B8FF appears 44 times
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: String function: 00459FCD appears 43 times
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: String function: 0045A2FE appears 64 times
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: String function: 0041AE03 appears 31 times
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: String function: 0045B896 appears 110 times
PE file contains strange resources
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ISSetup.dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ISSetup.dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ISSetup.dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ISSetup.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ISSetup.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ISSetup.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe, 00000000.00000000.663826376.0000000000519000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameInstallShield Setup.exe< vs SureServoPROInstall_V4_1_0_5_DB2_0_8.exe
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Binary or memory string: OriginalFilenameInstallShield Setup.exe< vs SureServoPROInstall_V4_1_0_5_DB2_0_8.exe
Uses 32bit PE files
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: ISSetup.dll.0.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
Source: ISSetup.dll.1.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: sus32.evad.winEXE@17/97@0/0
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: 0_2_00447C87 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx, 0_2_00447C87
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: 0_2_0041F883 _memset,lstrcpyW,lstrcatW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW, 0_2_0041F883
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: 0_2_004443E5 __EH_prolog3_GS,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,CoCreateInstance, 0_2_004443E5
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: 0_2_00420149 __EH_prolog3_catch_GS,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary, 0_2_00420149
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Mutant created: \Sessions\1\BaseNamedObjects\62E0592E-B1C0-499B-83F6-829789BDBD51
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe File created: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5} Jump to behavior
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe File read: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\setup.ini Jump to behavior
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe File read: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe 'C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe'
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Process created: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe -package:'C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe' -no_selfdeleter -IS_temp -media_path:'C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\' -tempdisk1folder:'C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\' -IS_OriginalLauncher:'C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\setup.exe'
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Process created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B8FD074B-9EF5-416D-A3EE-6D8FB115C83F}
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Process created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3BED6DCE-3BD7-42E3-BF6F-81E3F37201FD}
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Process created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{30C7FFBC-292B-4310-AFE7-0365F4C35832}
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Process created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C15C7E7D-7890-420A-86BA-7E9024358B47}
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Process created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6332241F-264C-4388-88EB-7A98CF4DBA83}
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Process created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D1BE9E7C-E67D-4CF9-BA65-428ACD016A71}
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Process created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{176CEB1A-A045-48A9-ADF5-06CDBA606E31}
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Process created: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe -package:'C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe' -no_selfdeleter -IS_temp -media_path:'C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\' -tempdisk1folder:'C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\' -IS_OriginalLauncher:'C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\setup.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Process created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B8FD074B-9EF5-416D-A3EE-6D8FB115C83F} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Process created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3BED6DCE-3BD7-42E3-BF6F-81E3F37201FD} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Process created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{30C7FFBC-292B-4310-AFE7-0365F4C35832} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Process created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C15C7E7D-7890-420A-86BA-7E9024358B47} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Process created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6332241F-264C-4388-88EB-7A98CF4DBA83} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Process created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D1BE9E7C-E67D-4CF9-BA65-428ACD016A71} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Process created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{176CEB1A-A045-48A9-ADF5-06CDBA606E31} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe File written: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\0x0409.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File opened: C:\Windows\SysWOW64\RICHED32.DLL Jump to behavior
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Static PE information: certificate valid
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Static file information: File size 26675560 > 1048576
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\ISP\setup.pdb source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe
Source: Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\_IsRes2k\0009-English\Debug\_isres_0x0409.pdb source: _is63FD.tmp.1.dr
Source: Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: ISBEW64.exe, 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp, ISBEW64.exe, 00000003.00000002.699468511.00007FF7F3997000.00000002.00020000.sdmp, ISBEW64.exe, 00000004.00000002.700463534.00007FF7F3997000.00000002.00020000.sdmp, ISBEW64.exe, 00000005.00000000.699946688.00007FF7F3997000.00000002.00020000.sdmp, ISBEW64.exe, 00000006.00000002.703456704.00007FF7F3997000.00000002.00020000.sdmp, ISBEW64.exe, 00000007.00000002.934477118.00007FF7F3997000.00000002.00020000.sdmp, ISBEW64.exe, 00000008.00000002.934475084.00007FF7F3997000.00000002.00020000.sdmp

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: 0_2_0047A0BB EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_0047A0BB
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .rsrc
PE file contains an invalid checksum
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Static PE information: real checksum: 0x19773c0 should be:
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: 0_2_00466655 push ecx; ret 0_2_00466668
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: 0_2_0045B864 push ecx; ret 0_2_0045B877

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6A20.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\MMO6B1E.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6270.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is64CC.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is55FE.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is66F7.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5827.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5CEA.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5758.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is59F4.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{62E0592E-B1C0-499B-83F6-829789BDBD51}\isr5430.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is61D2.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6922.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6893.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe File created: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\setup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6766.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5DE8.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\ISSetup.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is63FD.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5D4A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is69C0.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is632E.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6668.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6824.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is636E.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5C1B.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{62E0592E-B1C0-499B-83F6-829789BDBD51}\_is5463.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Isr5530.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is57C7.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISB542E.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is646C.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5994.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6ABE.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe File created: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\dot542C.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe File created: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\ISSetup.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5896.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is58F6.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5C8A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5560.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is656A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is65CA.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5B8C.tmp Jump to dropped file
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: 0_2_0048A330 GetLastError,SetLastError,_memset,lstrcpyA,_memset,lstrcpyW,lstrlenA,_memset,lstrcpyA,lstrlenA,lstrlenA,_memmove,lstrcmpiA,GetLastError,SetLastError,_memmove,GetPrivateProfileIntA,_memset,lstrcpyA,GetPrivateProfileStringA,GetSysColor,_memset,_memset,GetPrivateProfileSectionNamesA,lstrcpyA,lstrcpyA,lstrlenA,lstrcpyA,GetPrivateProfileStringA,GetSysColor,GetLastError,SysFreeString,SysFreeString,SysFreeString,SetLastError,lstrcpyA,lstrlenA,lstrcmpA,lstrcpyA,GetPrivateProfileStringA,GetProcAddress, 0_2_0048A330

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe Code function: 2_2_00007FF7F398CC64 RtlEncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_00007FF7F398CC64
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\MMO6B1E.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6A20.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6270.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is64CC.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is55FE.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is66F7.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5827.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5CEA.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5758.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is59F4.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{62E0592E-B1C0-499B-83F6-829789BDBD51}\isr5430.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is61D2.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6922.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6893.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6766.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5DE8.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is63FD.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5D4A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is69C0.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6668.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is632E.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6824.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is636E.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5C1B.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{62E0592E-B1C0-499B-83F6-829789BDBD51}\_is5463.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is57C7.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Isr5530.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is646C.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5994.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6ABE.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\dot542C.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is58F6.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5C8A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5896.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5560.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is656A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is65CA.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5B8C.tmp Jump to dropped file
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe API coverage: 6.7 %
Source: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe API coverage: 9.6 %
Is looking for software installed on the system
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: 0_2_0042C966 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,DeleteFileW, 0_2_0042C966
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: 0_2_00451BC7 __EH_prolog3_GS,FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,RemoveDirectoryW,__CxxThrowException@8,DeleteFileW, 0_2_00451BC7
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: 0_2_0041A1F5 VirtualQuery,GetSystemInfo,MapViewOfFile, 0_2_0041A1F5
Source: setup.exe, 00000001.00000002.937591615.0000000003200000.00000004.00000001.sdmp Binary or memory string: 0bIsVirtualMachinek
Source: setup.exe, 00000001.00000002.937591615.0000000003200000.00000004.00000001.sdmp Binary or memory string: 0_IsVirtualMachineT
Source: setup.exe, 00000001.00000002.944364655.0000000005864000.00000004.00000001.sdmp Binary or memory string: 0_IsVirtualMachine
Source: setup.exe, 00000001.00000002.944364655.0000000005864000.00000004.00000001.sdmp Binary or memory string: 0bIsVirtualMachine'+S
Source: setup.exe, 00000001.00000002.945234294.0000000005B91000.00000040.00020000.sdmp, isr5430.tmp.1.dr Binary or memory string: _GetVirtualMachineType
Source: setup.exe, 00000001.00000002.938253561.00000000034B4000.00000004.00000001.sdmp Binary or memory string: 0bIsVirtualMachine=%ld
Source: setup.exe, 00000001.00000002.944364655.0000000005864000.00000004.00000001.sdmp Binary or memory string: 0_GetVirtualMachineType&
Source: setup.exe, 00000001.00000002.937591615.0000000003200000.00000004.00000001.sdmp Binary or memory string: 0_GetVirtualMachineType
Source: setup.exe, 00000001.00000002.938253561.00000000034B4000.00000004.00000001.sdmp Binary or memory string: 0bIsVirtualMachineDH
Source: setup.exe, 00000001.00000002.944364655.0000000005864000.00000004.00000001.sdmp, isr5430.tmp.1.dr Binary or memory string: _IsVirtualMachine
Source: setup.exe, 00000001.00000002.944364655.0000000005864000.00000004.00000001.sdmp Binary or memory string: 0bIsVirtualMachine
Source: setup.exe, 00000001.00000002.937827081.0000000003300000.00000004.00000001.sdmp Binary or memory string: 0bIsVirtualMachine>
Source: setup.exe, 00000001.00000002.944364655.0000000005864000.00000004.00000001.sdmp Binary or memory string: 0bIsVirtualMachine=%ldR+
Source: setup.exe, 00000001.00000002.945234294.0000000005B91000.00000040.00020000.sdmp, isr5430.tmp.1.dr Binary or memory string: AddIconCallDLLFnComponentViewCreateWindowComponentViewDestroyComponentViewRefreshComponentViewSelectAllComponentViewSetInfoComponentViewSetInfoExCreateFolderDeleteFolderDeleteIconEnableHourGlassEnumFoldersItemsGetCPUTypeGetFontSubGetHandleGetPortsGetSelectedItemStateIsEmptyIsNTAdminIsOSTypeNTIsObjectIsPowerUserLangLoadStringMessageBeepPPathCompactPathPixelPathCrackUrlPathGetDirPathGetDrivePathGetFilePathGetFileExtPathGetFileNamePathGetLongFromShortPathGetPathPathIsValidSyntaxQueryIconReadArrayPropertyReadBoolPropertyReadNumberPropertyReplaceIconShowFolderTextSubSubstituteVerGetFileVersionWriteArrayPropertyWriteBoolPropertyWriteNumberPropertyWriteStringProperty_AppSearch_BrowseForFolder_CCPSearch_CHARArrayToWCHARArray_CalculateAndAddFileCost_CleanupInet_CloseFile_CmdGetHwndDlg_CmdGetMsg_CmdGetParam1_CmdGetParam2_CoGetObject_CompareDWORD_ComponentAddItem_ComponentCompareSizeRequired_ComponentError_ComponentErrorInfo_ComponentFileEnum_ComponentFileInfo_ComponentFilterLanguage_ComponentFilterOS_ComponentGetCost_ComponentGetCostEx_ComponentGetData_ComponentGetItemSize_ComponentGetTotalCost_ComponentGetTotalCostEx_ComponentInitialize_ComponentIsItemSelected_ComponentListItems_ComponentLoadTarget_ComponentMoveData_ComponentPatch_ComponentReinstall_ComponentRemoveAll_ComponentRemoveAllInLogOnly_ComponentSaveTarget_ComponentSelectItem_ComponentSelectNew_ComponentSetData_ComponentSetupTypeEnum_ComponentSetupTypeGetData_ComponentSetupTypeSet_ComponentTotalSize_ComponentTransferData_ComponentUpdate_ComponentValidate_ComponentViewCreate_ComponentViewQueryInfo_CopyBytes_CreateDir_CreateObject_CreateRegistrySet_CreateShellObjects_CtrlGetNotificationCode_CtrlGetParentWindowHelper_CtrlGetSubCommand_CtrlGetUrlForLinkClicked_CtrlSetHtmlContent_CtrlSetMLERichText_DIFxDriverPackageGetPath_DIFxDriverPackageInstall_DIFxDriverPackagePreinstall_DIFxDriverPackageUninstall_DefineDialog_DeleteCHARArray_DialogSetFont_DisableBranding_DisableStatus_Divide_DoInstall_DoSprintf_DotNetCoCreateObject_DotNetUnloadAppDomain_EnableDialogCache_EnablePrevDialog_EnableSkins_EnableStatus_EnableWow64FsRedirection_EndDialog_ExistsDir_ExistsDisk_ExistsFile_ExitInstall_FeatureAddCost_FeatureAddUninstallCost_FeatureGetCost_FeatureInitialize_FeatureSpendCost_FeatureSpendUninstallCost_FileCopy_FloatingPointOperation_GenerateFileMD5SignatureHex_GetByte_GetCurrentDialogName_GetDiskInfo_GetDiskSpaceEx_GetDiskSpaceExEx_GetFont_GetGlobalFlags_GetGlobalMemorySize_GetInetFileSize_GetInetFileTime_GetLine_GetLineSize_GetObject_GetObjectByIndex_GetObjectCount_GetProcessorInfo_GetRunningChildProcess_GetRunningChildProcessEx_GetRunningChildProcessEx2_GetSelectedTreeComponent_GetStandardLangId_GetSupportDir_GetSystemDpi_GetTrueTypeFontFileInfo_GetVirtualMachineType_InetEndofTransfer_InetGetLastError_InetGetNextDisk_InitInstall_IsFontTypefaceNameAvailable_IsInAdminGroup_IsLangSupported_IsSkinLoaded_IsVirtualMachine_IsWindowsME_IsWow64_KillProcesses_ListAddItem_ListAddString_ListCount_ListCreate_ListCurrentIte
Source: setup.exe, 00000001.00000002.937675505.000000000323B000.00000004.00000001.sdmp Binary or memory string: 0bIsVirtualMachineR4B
Source: setup.exe, 00000001.00000002.937675505.000000000323B000.00000004.00000001.sdmp Binary or memory string: 0_GetVirtualMachineTypeIg
Source: setup.exe, 00000001.00000002.937591615.0000000003200000.00000004.00000001.sdmp Binary or memory string: 0bIsVirtualMachined
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe API call chain: ExitProcess graph end node

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: 0_2_0047A0BB EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_0047A0BB
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: 0_2_0047A0BB EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_0047A0BB
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: 0_2_0047A0BB EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_0047A0BB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: 0_2_00430226 GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,_strlen,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,ReadFile,GetProcessHeap,HeapFree, 0_2_00430226
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: 0_2_004638EA SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004638EA
Source: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe Code function: 2_2_00007FF7F398DCD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FF7F398DCD4
Source: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe Code function: 2_2_00007FF7F39907D8 SetUnhandledExceptionFilter, 2_2_00007FF7F39907D8

HIPS / PFW / Operating System Protection Evasion:

barindex
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Process created: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe -package:'C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe' -no_selfdeleter -IS_temp -media_path:'C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\' -tempdisk1folder:'C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\' -IS_OriginalLauncher:'C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\setup.exe'
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Process created: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe -package:'C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe' -no_selfdeleter -IS_temp -media_path:'C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\' -tempdisk1folder:'C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\' -IS_OriginalLauncher:'C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\setup.exe' Jump to behavior
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: 0_2_0041BFB9 _memset,_memset,_memset,_memset,_memset,_memset,InitializeSecurityDescriptor,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,SetEntriesInAclW,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,SetSecurityDescriptorDacl,CoInitializeSecurity, 0_2_0041BFB9
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: 0_2_00450887 GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid, 0_2_00450887
Source: setup.exe, 00000001.00000002.947955047.0000000010001000.00000040.00020000.sdmp Binary or memory string: ISLOG_VERSION_INFO..\..\..\Shared\LogServices2\LogDB.cppOPTYPE_PROGMANISLOGDB_USER_PROPERTIES,
Source: setup.exe, 00000001.00000002.934167800.000000000093B000.00000004.00000020.sdmp Binary or memory string: OPTYPE_PROGMAN0q
Source: setup.exe, 00000001.00000002.943380084.0000000005247000.00000004.00000001.sdmp Binary or memory string: OPTYPE_PROGMAN
Source: setup.exe, 00000001.00000002.948226450.0000000010239000.00000040.00020000.sdmp Binary or memory string: ?OPTYPE_PROGMAN_FIELDSWWW
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe, 00000000.00000002.933958937.0000000001010000.00000002.00000001.sdmp, setup.exe, 00000001.00000002.934223950.0000000000B80000.00000002.00000001.sdmp, ISBEW64.exe, 00000002.00000002.933628718.000001A0A5D50000.00000002.00000001.sdmp, ISBEW64.exe, 00000007.00000002.933619409.000001EB7B690000.00000002.00000001.sdmp, ISBEW64.exe, 00000008.00000002.933582892.0000022320160000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe, 00000000.00000002.933958937.0000000001010000.00000002.00000001.sdmp, setup.exe, 00000001.00000002.934223950.0000000000B80000.00000002.00000001.sdmp, ISBEW64.exe, 00000002.00000002.933628718.000001A0A5D50000.00000002.00000001.sdmp, ISBEW64.exe, 00000007.00000002.933619409.000001EB7B690000.00000002.00000001.sdmp, ISBEW64.exe, 00000008.00000002.933582892.0000022320160000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe, 00000000.00000002.933958937.0000000001010000.00000002.00000001.sdmp, setup.exe, 00000001.00000002.934223950.0000000000B80000.00000002.00000001.sdmp, ISBEW64.exe, 00000002.00000002.933628718.000001A0A5D50000.00000002.00000001.sdmp, ISBEW64.exe, 00000007.00000002.933619409.000001EB7B690000.00000002.00000001.sdmp, ISBEW64.exe, 00000008.00000002.933582892.0000022320160000.00000002.00000001.sdmp Binary or memory string: Progman
Source: setup.exe, 00000001.00000002.934167800.000000000093B000.00000004.00000020.sdmp Binary or memory string: OPTYPE_PROGMAN
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe, 00000000.00000002.933958937.0000000001010000.00000002.00000001.sdmp, setup.exe, 00000001.00000002.934223950.0000000000B80000.00000002.00000001.sdmp, ISBEW64.exe, 00000002.00000002.933628718.000001A0A5D50000.00000002.00000001.sdmp, ISBEW64.exe, 00000007.00000002.933619409.000001EB7B690000.00000002.00000001.sdmp, ISBEW64.exe, 00000008.00000002.933582892.0000022320160000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: setup.exe, 00000001.00000002.934145303.0000000000917000.00000004.00000020.sdmp Binary or memory string: OPTYPE_PROGMANQ

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: GetLocaleInfoW,TranslateCharsetInfo,IsValidLocale, 0_2_004125AD
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: 0_2_0043B52C __EH_prolog3_GS,GetCurrentProcessId,_memset,GetLocalTime,GetModuleFileNameW, 0_2_0043B52C
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe Code function: 0_2_00430174 GetVersionExW, 0_2_00430174
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 377536 Sample: SureServoPROInstall_V4_1_0_... Startdate: 29/03/2021 Architecture: WINDOWS Score: 32 35 PE file has a writeable .text section 2->35 7 SureServoPROInstall_V4_1_0_5_DB2_0_8.exe 35 2->7         started        process3 file4 21 C:\Users\user\AppData\Local\...\setup.exe, PE32 7->21 dropped 23 C:\Users\user\AppData\Local\...\setup.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\Local\...\ISSetup.dll, PE32 7->25 dropped 10 setup.exe 186 7->10         started        process5 file6 27 C:\Users\user\AppData\Local\...\_is6ABE.tmp, PE32 10->27 dropped 29 C:\Users\user\AppData\Local\...\_is6A20.tmp, PE32 10->29 dropped 31 C:\Users\user\AppData\Local\...\_is69C0.tmp, PE32 10->31 dropped 33 37 other files (none is malicious) 10->33 dropped 13 ISBEW64.exe 10->13         started        15 ISBEW64.exe 10->15         started        17 ISBEW64.exe 10->17         started        19 4 other processes 10->19 process7
No contacted IP infos