Windows Analysis Report
Setup.exe

Overview

General Information

Sample Name: Setup.exe
Analysis ID: 612091
MD5: 37c6031e6d7ed0910fab1ab8d18f76f4
SHA1: 37e4ea50f7668a52abe951fb540c7ced71c6500a
SHA256: 1200ec02f814bcd7a6de8035ec139548a80b628601b90f4a13a5b35cf976a4e0
Infos:

Detection

Score: 6
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Signatures

Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Drops certificate files (DER)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains strange resources
Allocates memory with a write watch (potentially for evading sandboxes)
Drops PE files
Tries to load missing DLLs
Creates driver files
Checks for available system drives (often done to infect USB drives)

Classification

Uses 32bit PE files
Source: Setup.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Setup.exe Static PE information: certificate valid
Source: Setup.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\jenkins\workspace\SW_PROD_release_10.2_01-devel\nivo\bin\x64\CoreInstallerHelper.pdb7 source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\ResourceCleaner.pdb source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: C:\wrk\tlprj\_ToriLogic\Products\TL-USBNET\_main\bin\Release_660\Win32\tl-usbnet.pdb source: dl-usbnet-ncm.sys.4.dr
Source: Binary string: D:\jenkins\workspace\SW_PROD_release_10.2_01-devel\nivo\bin\Win32\dlidusb3\dlidusb3.pdbGCTL source: additional.exe, 00000004.00000003.505808440.0000000002440000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\tempFiles.pdb source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.672305509.0000000003B6C000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.678066911.0000000003B6C000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdb source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: D:\jenkins\workspace\SW_PROD_release_10.2_01-devel\nivo\bin\Win32\Setup.pdb source: Setup.exe
Source: Binary string: D:\jenkins\workspace\SW_PROD_release_10.2_01-devel\nivo\bin\x64\DisplayLinkUsbCo2.pdb source: additional.exe, 00000004.00000003.488606399.0000000000710000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: VDESTnivoco.dllnivoco.pdbnivolib.dlllibusb0.dlldrivers\libusb0.sysnivousb.dlldrivers\nivousbport.sysngadisp.dlldrivers\ngaport.sysnewnhamgadisp.dlldrivers\newnhamgaport.sysnmirror.dlldrivers\nmirror.sysdrivers\nmirrorport.sysnewnhammirrordisp.dlldrivers\newnhammirrorport.sysnmdrv.dlldrivers\nmport.sysibdisp.dlldrivers\ibport.sysnewnhamusb.dllnewnhamusbco.dlldrivers\newnhamusbport.sysDisplayLinkGAdisp.dlldrivers\DisplayLinkGAport.sysDisplayLinkmirrordisp.dlldrivers\DisplayLinkmirrorport.sysdrivers\DisplayLinkUsbPort*.sysdrivers\DisplayLinkUsbIo*.sysdrivers\DisplayLinkFilter.sysdrivers\UMDF\dlidusb.dlldrivers\UMDF\dlidusb2.dlldrivers\UMDF\dlidusb3.dlldlidcore.dlldrivers\dlkmd.sysdrivers\dlkmdldr.sysDisplayLinkusb.dllDisplayLinkUsbCo*.dlldrivers\ebusbus.sysdrivers\ebuswh95.sysdrivers\ebuswhnt.sysdrivers\ebuswh.sysdrivers\dlcdbus.sysdrivers\dlcdwhnt.sysdrivers\dlcdwh.sysdrivers\dlcdcecm.sysdrivers\dlcdcncm*.sysdrivers\dl-usbnet-ncm.sysdrivers\dlusbaudio.sysdrivers\dlusbaudio_x64.sysDLTmmB.dlldlumd9.dlldlumd10.dlldlumd11.dlldrivers\UMDF\ella-dock-release.spkgdrivers\UMDF\ridge-dock-release.spkgdrivers\UMDF\firefly-monitor-release.spkgdrivers\dlxrusbaudio_x64.sysdrivers\DisplayLinkXRUsbIo_x64*.sysDisplayLinkHotDeskServiceDisplayLinkDriverSwapService source: additional.exe, 00000004.00000003.488606399.0000000000710000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\jenkins\workspace\SW_PROD_release_10.2_01-devel\nivo\bin\x64\CoreInstallerHelper.pdb source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: DpInst.pdbH source: additional.exe, 00000004.00000003.486713848.0000000002440000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: DLC3A4.exe, 00000010.00000003.669738195.0000000003C42000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, MSI2AF1.tmp.16.dr
Source: Binary string: nivoco.dllnivoco.pdbnivolib.dlllibusb0.dlldrivers\libusb0.sysnivousb.dlldrivers\nivousbport.sysngadisp.dlldrivers\ngaport.sysnewnhamgadisp.dlldrivers\newnhamgaport.sysnmirror.dlldrivers\nmirror.sysdrivers\nmirrorport.sysnewnhammirrordisp.dlldrivers\newnhammirrorport.sysnmdrv.dlldrivers\nmport.sysibdisp.dlldrivers\ibport.sysnewnhamusb.dllnewnhamusbco.dlldrivers\newnhamusbport.sysDisplayLinkGAdisp.dlldrivers\DisplayLinkGAport.sysDisplayLinkmirrordisp.dlldrivers\DisplayLinkmirrorport.sysdrivers\DisplayLinkUsbPort*.sysdrivers\DisplayLinkUsbIo*.sysdrivers\DisplayLinkFilter.sysdlumd32.dlldlumd64.dlldrivers\UMDF\dlidusb.dlldrivers\UMDF\dlidusb2.dlldrivers\UMDF\dlidusb3.dlldlidcore.dlldrivers\dlkmd.sysdrivers\dlkmdldr.sysDisplayLinkusb.dllDisplayLinkUsbCo*.dlldrivers\ebusbus.sysdrivers\ebuswh95.sysdrivers\ebuswhnt.sysdrivers\ebuswh.sysdrivers\dlcdbus.sysdrivers\dlcdwhnt.sysdrivers\dlcdwh.sysdrivers\dlcdcecm.sysdrivers\dlcdcncm*.sysdrivers\dl-usbnet-ncm.sysdrivers\dlusbaudio.sysdrivers\dlusbaudio_x64.sysDLTmmB.dlldlumd9.dlldlumd10.dlldlumd11.dlldrivers\UMDF\ella-dock-release.spkgdrivers\UMDF\ridge-dock-release.spkgdrivers\UMDF\firefly-monitor-release.spkgdrivers\dlxrusbaudio_x64.sysdrivers\DisplayLinkXRUsbIo_x64*.sys@@AAAAAAAAAAAAAAAAAAAAAHY+Kvs1uxFtdTKe2lhUNyFtdbrGegS7rfhDfPuGrggE@@@@AAAAAAAAAAAAAAAAAAAAAMZzznyrmIJFsrO9g5Y1Msu9KKJoYFaArulb25hktfpmWSPp1quvgQeTXwZPHDwCRA==@@ != [options]Utility to clean DisplayLink (DL) files, devices & registryCleaner@/ source: DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: D:\jenkins\workspace\SW_PROD_release_10.2_01-devel\nivo\bin\x64\Cleaner.pdb source: DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb+ source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdbV source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: D:\jenkins\workspace\SW_PROD_release_10.2_01-devel\nivo\bin\Win32\dlidusb3\dlidusb3.pdb source: additional.exe, 00000004.00000003.505808440.0000000002440000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: nivoco.pdbnivolib.dlllibusb0.dlldrivers\libusb0.sysnivousb.dlldrivers\nivousbport.sysngadisp.dlldrivers\ngaport.sysnewnhamgadisp.dlldrivers\newnhamgaport.sysnmirror.dlldrivers\nmirror.sysdrivers\nmirrorport.sysnewnhammirrordisp.dlldrivers\newnhammirrorport.sysnmdrv.dlldrivers\nmport.sysibdisp.dlldrivers\ibport.sysnewnhamusb.dllnewnhamusbco.dlldrivers\newnhamusbport.sysDisplayLinkGAdisp.dlldrivers\DisplayLinkGAport.sysDisplayLinkmirrordisp.dlldrivers\DisplayLinkmirrorport.sysdrivers\DisplayLinkUsbPort*.sysdrivers\DisplayLinkUsbIo*.sysdrivers\DisplayLinkFilter.sysdlumd32.dlldlumd64.dlldrivers\UMDF\dlidusb.dlldrivers\UMDF\dlidusb2.dlldrivers\UMDF\dlidusb3.dlldlidcore.dlldrivers\dlkmd.sysdrivers\dlkmdldr.sysDisplayLinkusb.dllDisplayLinkUsbCo*.dlldrivers\ebusbus.sysdrivers\ebuswh95.sysdrivers\ebuswhnt.sysdrivers\ebuswh.sysdrivers\dlcdbus.sysdrivers\dlcdwhnt.sysdrivers\dlcdwh.sysdrivers\dlcdcecm.sysdrivers\dlcdcncm*.sysdrivers\dl-usbnet-ncm.sysdrivers\dlusbaudio.sysdrivers\dlusbaudio_x64.sysDLTmmB.dlldlumd9.dlldlumd10.dlldlumd11.dlldrivers\UMDF\ella-dock-release.spkgdrivers\UMDF\ridge-dock-release.spkgdrivers\UMDF\firefly-monitor-release.spkgdrivers\dlxrusbaudio_x64.sysdrivers\DisplayLinkXRUsbIo_x64*.sysDisplayLinkServiceDisplayLinkHotDeskServicedlcdbus*dlcdbus.inf@@AAAAAAAAAAAAAAAAAAAAAPpGvikHf5mNZlsQaCNCPkIGU5u8BVHntQojx3P+hXHW@@@@AAAAAAAAAAAAAAAAAAAAAJdG3vWoMW+81Sxh8ZeZXcXYjemjSU2rciryzWrGCSXRPLzwnsCb08l4uQSL+jhwWw==@@@@AAAAAAAAAAAAAAAAAAAAAPweJT05ojnr/jXzcoTSx0Seq2EjqCx90in8dAyCTacHOosE/PFC5CiL8/J7/ugYF5fCedArAWMh0ls8BM/pDfkv8W+WVCzLUHJIBL/N2izk@@@@AAAAAAAAAAAAAAAAAAAAAJuhqpMNkiPwegXT8cRng3S8rMdNkdRBGxlMEDDT6T0c@@@@AAAAAAAAAAAAAAAAAAAAAPzVBxtd9Ubh5XdDbs2L40E=@@@@AAAAAAAAAAAAAAAAAAAAAHXzPCwOmlVZ7xNZBYd5JNQ=@@@@AAAAAAAAAAAAAAAAAAAAAF8VehuQapGK/SBl6B1S5rygXSueRgumXc30JBiQkGfO77nTs/6OuWbxkpAL5b0gntpQVvq8VueiHbd2NS/GKR4=@@@@AAAAAAAAAAAAAAAAAAAAAHt0rh4ewNlME0SQsuNX7+f8Z0+w1TKvcqJtPL51DIcISNsIgP5ozcRsI2U04v+YvuuyxcJXpFfUA/6IoLxdXwE=@@@@AAAAAAAAAAAAAAAAAAAAAPYO/HFN3kObzM8ljOjb1bhnLhcNT10dioatkJc4i2+hRK5GEw7Nad/YNjJzo+lEsA==@@@@AAAAAAAAAAAAAAAAAAAAAF8VehuQapGK/SBl6B1S5rygXSueRgumXc30JBiQkGfO77nTs/6OuWbxkpAL5b0gnqtEl9CpCJbX1lQJcsR9tXI=@@@@AAAAAAAAAAAAAAAAAAAAANyplArlD6cVpvmahwIbxVdIyFt2vkAZTJk3rVOtGYwp7+FuziTtX5gj3G/ejlPfaw==@@\ProgramData\DisplayLink\Windows\Temp\DisplayLinkDisplayLink Graphics@@AAAAAAAAAAAAAAAAAAAAAD/ih0bdnTHqBR3dzE3FlrF28VyBMOdCPu3iObG1aE3i@@@@AAAAAAAAAAAAAAAAAAAAAHUgYq0gM3I1R5VIEiA+CdW7hwXBfGK7hQttUVT39Pa1@@CLSID\{9F550240-0FCA-443D-B5E9-23ACB47F62E2}SOFTWARE\Classes\CLSID\{9F550240-0FCA-443D-B5E9-23ACB47F62E2}Software\DisplayLink\FirmwareBranding@@AAAAAAAAAAAAAAAAAAAAALX7VMnI07lgL2xQfpbf75SVnULMcDb09JnpvOQIxnXDNAL8j5xkO0FWaHEAl7D+ZsfzMFs/fdnUkP4kSHoMbmM=@@Software\DisplayLink Persistent Settings@@AAAAAAAAAAAAAAAAAAAAAPN0S0vDqM+gWKsezx58hETKyHhPeWMyb0eKB5rOi8x+@@@@AAAAAAAAAAAAAAAAAAAAAEioYsD9hiuyFvfn0It6lh6pBv8Gcl5uKeGfzRR1Rth/@@@@AAAAAAAAAAAAAAAAAAAAAGDnLFQ/VgZ3sE8TJZIMA0mFHorhnMf37dbY8gA3NHdy@@@@AAAAAAAAAAAAAAAAAAAAAFHCS3rVEmhYkcuzB1dW
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: Setup.exe, 00000000.00000000.394336162.0000000003398000.00000002.00000001.01000000.00000003.sdmp, Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, DLC3A4.exe, 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmp, DLC3A4.exe, 00000010.00000000.575990996.00000000004A7000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: DpInst.pdb source: additional.exe, 00000004.00000003.486713848.0000000002440000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Dnivoco.pdbnivolib.dlllibusb0.dlldrivers\libusb0.sysnivousb.dlldrivers\nivousbport.sysngadisp.dlldrivers\ngaport.sysnewnhamgadisp.dlldrivers\newnhamgaport.sysnmirror.dlldrivers\nmirror.sysdrivers\nmirrorport.sysnewnhammirrordisp.dlldrivers\newnhammirrorport.sysnmdrv.dlldrivers\nmport.sysibdisp.dlldrivers\ibport.sysnewnhamusb.dllnewnhamusbco.dlldrivers\newnhamusbport.sysDisplayLinkGAdisp.dlldrivers\DisplayLinkGAport.sysDisplayLinkmirrordisp.dlldrivers\DisplayLinkmirrorport.sysdrivers\DisplayLinkUsbPort*.sysdrivers\DisplayLinkUsbIo*.sysdrivers\DisplayLinkFilter.sysdlumd32.dlldlumd64.dlldrivers\UMDF\dlidusb.dlldrivers\UMDF\dlidusb2.dlldrivers\UMDF\dlidusb3.dlldlidcore.dlldrivers\dlkmd.sysdrivers\dlkmdldr.sysDisplayLinkusb.dllDisplayLinkUsbCo*.dlldrivers\ebusbus.sysdrivers\ebuswh95.sysdrivers\ebuswhnt.sysdrivers\ebuswh.sysdrivers\dlcdbus.sysdrivers\dlcdwhnt.sysdrivers\dlcdwh.sysdrivers\dlcdcecm.sysdrivers\dlcdcncm*.sysdrivers\dl-usbnet-ncm.sysdrivers\dlusbaudio.sysdrivers\dlusbaudio_x64.sysDLTmmB.dlldlumd9.dlldlumd10.dlldlumd11.dlldrivers\UMDF\ella-dock-release.spkgdrivers\UMDF\ridge-dock-release.spkgdrivers\UMDF\firefly-monitor-release.spkgdrivers\dlxrusbaudio_x64.sysdrivers\DisplayLinkXRUsbIo_x64*.sysDisplayLinkServiceDisplayLinkHotDeskServicedlcdbus*dlcdbus.inf@@AAAAAAAAAAAAAAAAAAAAAPpGvikHf5mNZlsQaCNCPkIGU5u8BVHntQojx3P+hXHW@@@@AAAAAAAAAAAAAAAAAAAAAJdG3vWoMW+81Sxh8ZeZXcXYjemjSU2rciryzWrGCSXRPLzwnsCb08l4uQSL+jhwWw==@@@@AAAAAAAAAAAAAAAAAAAAAPweJT05ojnr/jXzcoTSx0Seq2EjqCx90in8dAyCTacHOosE/PFC5CiL8/J7/ugYF5fCedArAWMh0ls8BM/pDfkv8W+WVCzLUHJIBL/N2izk@@@@AAAAAAAAAAAAAAAAAAAAAJuhqpMNkiPwegXT8cRng3S8rMdNkdRBGxlMEDDT6T0c@@@@AAAAAAAAAAAAAAAAAAAAAPzVBxtd9Ubh5XdDbs2L40E=@@@@AAAAAAAAAAAAAAAAAAAAAHXzPCwOmlVZ7xNZBYd5JNQ=@@@@AAAAAAAAAAAAAAAAAAAAAF8VehuQapGK/SBl6B1S5rygXSueRgumXc30JBiQkGfO77nTs/6OuWbxkpAL5b0gntpQVvq8VueiHbd2NS/GKR4=@@@@AAAAAAAAAAAAAAAAAAAAAHt0rh4ewNlME0SQsuNX7+f8Z0+w1TKvcqJtPL51DIcISNsIgP5ozcRsI2U04v+YvuuyxcJXpFfUA/6IoLxdXwE=@@@@AAAAAAAAAAAAAAAAAAAAAPYO/HFN3kObzM8ljOjb1bhnLhcNT10dioatkJc4i2+hRK5GEw7Nad/YNjJzo+lEsA==@@@@AAAAAAAAAAAAAAAAAAAAAF8VehuQapGK/SBl6B1S5rygXSueRgumXc30JBiQkGfO77nTs/6OuWbxkpAL5b0gnqtEl9CpCJbX1lQJcsR9tXI=@@@@AAAAAAAAAAAAAAAAAAAAANyplArlD6cVpvmahwIbxVdIyFt2vkAZTJk3rVOtGYwp7+FuziTtX5gj3G/ejlPfaw==@@\ProgramData\DisplayLink\Windows\Temp\DisplayLinkDisplayLink Graphics@@AAAAAAAAAAAAAAAAAAAAAD/ih0bdnTHqBR3dzE3FlrF28VyBMOdCPu3iObG1aE3i@@@@AAAAAAAAAAAAAAAAAAAAAHUgYq0gM3I1R5VIEiA+CdW7hwXBfGK7hQttUVT39Pa1@@CLSID\{9F550240-0FCA-443D-B5E9-23ACB47F62E2}SOFTWARE\Classes\CLSID\{9F550240-0FCA-443D-B5E9-23ACB47F62E2}Software\DisplayLink\FirmwareBranding@@AAAAAAAAAAAAAAAAAAAAALX7VMnI07lgL2xQfpbf75SVnULMcDb09JnpvOQIxnXDNAL8j5xkO0FWaHEAl7D+ZsfzMFs/fdnUkP4kSHoMbmM=@@Software\DisplayLink Persistent Settings@@AAAAAAAAAAAAAAAAAAAAAPN0S0vDqM+gWKsezx58hETKyHhPeWMyb0eKB5rOi8x+@@@@AAAAAAAAAAAAAAAAAAAAAEioYsD9hiuyFvfn0It6lh6pBv8Gcl5uKeGfzRR1Rth/@@@@AAAAAAAAAAAAAAAAAAAAAGDnLFQ/VgZ3sE8TJZIMA0mFHorhnMf37dbY8gA3NHdy@@@@AAAAAAAAAAAAAAAAAAAAAFHCS3rVEmhYkcuzB1d
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Code function: 4_2_00406FF9 __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA, 4_2_00406FF9
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_00414085 FindFirstFileW,FindClose,CloseHandle,CloseHandle, 16_2_00414085
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_003FA310 FindFirstFileW,GetLastError,FindClose, 16_2_003FA310
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_00414B3A FindFirstFileW,FindClose, 16_2_00414B3A
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_004083C7 __EH_prolog3_GS,FindFirstFileW,FindClose, 16_2_004083C7
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_0041C5A8 FindFirstFileW,FindClose, 16_2_0041C5A8
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_0041A78C __EH_prolog3_GS,_wcslen,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 16_2_0041A78C
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_0042697F FindFirstFileW,FindNextFileW,_wcsrchr,_wcsrchr,_wcsrchr,FindNextFileW,FindClose,FindClose,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindClose,FindClose, 16_2_0042697F
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_0041AA08 __EH_prolog3_GS,FindFirstFileW,FindClose, 16_2_0041AA08
Source: DLC3A4.exe, 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmp, DLC3A4.exe, 00000010.00000000.575990996.00000000004A7000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: AShell32.dllShlwapi.dllbinSoftware\JavaSoft\Java Development Kit\JavaHomeSoftware\JavaSoft\Java Runtime Environment\FlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.google.comhttp://www.example.comhttp://www.yahoo.comtin9999.tmpHEAD.part123charsetutf-8POSTISO-8859-1utf-16AdvancedInstallerUS-ASCIILocal Network ServerGET*/*FTP ServerRange: bytes=%u- equals www.yahoo.com (Yahoo)
Source: Setup.exe, 00000000.00000000.394336162.0000000003398000.00000002.00000001.01000000.00000003.sdmp, Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: IShell32.dllShlwapi.dllbinSoftware\JavaSoft\Java Development Kit\JavaHomeSoftware\JavaSoft\Java Runtime Environment\FlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.google.comhttp://www.example.comhttp://www.yahoo.comtin9999.tmpHEAD.part123charsetutf-8POSTISO-8859-1utf-16AdvancedInstallerUS-ASCIILocal Network ServerGET*/*FTP ServerRange: bytes=%u- equals www.yahoo.com (Yahoo)
Source: DLC3A4.exe String found in binary or memory: http://www.yahoo.com equals www.yahoo.com (Yahoo)
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, 00000010.00000003.648494104.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.625008226.0000000004E37000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.647813814.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, dl-usbnet-ncm.sys.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, 00000010.00000003.648494104.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.677175504.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.625008226.0000000004E37000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.647813814.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, dl-usbnet-ncm.sys.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, 00000010.00000003.648494104.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.677175504.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.625008226.0000000004E37000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.647813814.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, dl-usbnet-ncm.sys.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: DLC3A4.exe, 00000010.00000002.677175504.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, 00000010.00000003.648494104.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.677175504.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.625008226.0000000004E37000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.647813814.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, dl-usbnet-ncm.sys.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.677390665.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, dl-usbnet-ncm.sys.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, 00000010.00000003.648494104.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.677175504.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.625008226.0000000004E37000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.647813814.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, dl-usbnet-ncm.sys.4.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, 00000010.00000003.648494104.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.677175504.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.625008226.0000000004E37000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.647813814.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, dl-usbnet-ncm.sys.4.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, 00000010.00000003.648494104.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.625008226.0000000004E37000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.677390665.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.647813814.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, dl-usbnet-ncm.sys.4.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, 00000010.00000003.648494104.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.677175504.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.625008226.0000000004E37000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.647813814.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, dl-usbnet-ncm.sys.4.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, 00000010.00000003.648494104.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.677175504.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.625008226.0000000004E37000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.647813814.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, dl-usbnet-ncm.sys.4.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, 00000010.00000003.648494104.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.625008226.0000000004E37000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.647813814.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, dl-usbnet-ncm.sys.4.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, 00000010.00000003.648494104.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.677175504.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.625008226.0000000004E37000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.647813814.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, dl-usbnet-ncm.sys.4.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, 00000010.00000003.648494104.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.677175504.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.625008226.0000000004E37000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.647813814.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, dl-usbnet-ncm.sys.4.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.dr String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.dr String found in binary or memory: http://s.symcd.com06
Source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.669738195.0000000003C42000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.dr String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.669738195.0000000003C42000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.dr String found in binary or memory: http://t2.symcb.com0
Source: DLC3A4.exe, 00000010.00000002.678461490.0000000003C48000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.669738195.0000000003C42000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.dr String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.669738195.0000000003C42000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.dr String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.669738195.0000000003C42000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.dr String found in binary or memory: http://tl.symcd.com0&
Source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.dr String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.dr String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, 00000010.00000003.648494104.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.677175504.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.625008226.0000000004E37000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.647813814.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, dl-usbnet-ncm.sys.4.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: DLC3A4.exe, 00000010.00000003.648494104.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.597504194.0000000004E29000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.625008226.0000000004E37000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.647813814.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, dl-usbnet-ncm.sys.4.dr String found in binary or memory: http://www.displaylink.com/
Source: DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp String found in binary or memory: http://www.displaylink.com/DlPublicSoftwareBannerpublicSoftwareBanner.bmpAI_REQUIRED_WINDOWS_INSTALL
Source: DLC3A4.exe, 00000010.00000002.677175504.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.displaylink.com/m
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp String found in binary or memory: http://www.displaylink.com/support/compcheckredirect.php
Source: DLC3A4.exe String found in binary or memory: http://www.google.com
Source: DLC3A4.exe, 00000010.00000002.686271597.000000000B742000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: DLC3A4.exe String found in binary or memory: http://www.yahoo.com
Source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.dr String found in binary or memory: https://d.symcb.com/rpa0.
Source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.669738195.0000000003C42000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.dr String found in binary or memory: https://www.advancedinstaller.com
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, 00000010.00000003.648494104.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.677175504.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.625008226.0000000004E37000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.677390665.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.682306648.00000000059CD000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.647813814.0000000004E39000.00000004.00000800.00020000.00000000.sdmp, dl-usbnet-ncm.sys.4.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: Setup.exe, 00000000.00000000.406886096.0000000005536000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.displaylink.com/downloads/windows
Source: Setup.exe, 00000000.00000000.406886096.0000000005536000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.displaylink.com/downloads/windows.
Source: Setup.exe, 00000000.00000000.406886096.0000000005536000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.displaylink.com/downloads/windows.x
Source: DLC3A4.exe, 00000010.00000002.678461490.0000000003C48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.thawte.com/cps
Source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.669738195.0000000003C42000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.dr String found in binary or memory: https://www.thawte.com/cps0/
Source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.669738195.0000000003C42000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, Prereq.dll.16.dr, MSI2AF1.tmp.16.dr String found in binary or memory: https://www.thawte.com/repository0W
Drops certificate files (DER)
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCDCNCM\dlcdcncm.cat Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL-USBNET-NCM\x64\dl-usbnet-ncm.cat Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dl-usbnet-ncm.cat Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlusbaudio.cat Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLUSBAUDIO\dlusbaudio.cat Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL-USBNET-NCM\x86\dl-usbnet-ncm.cat Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dl-usbnet-ncm.cat Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dlusbaudio.cat Jump to dropped file
Uses 32bit PE files
Source: Setup.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Creates files inside the system directory
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\INF\oem0.PNF Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Code function: 4_2_004172D2 4_2_004172D2
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Code function: 4_2_0041738A 4_2_0041738A
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Code function: 4_2_004155D7 4_2_004155D7
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Code function: 4_2_004187A0 4_2_004187A0
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Code function: 4_2_00411957 4_2_00411957
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Code function: 4_2_00417D65 4_2_00417D65
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_003FD3A0 16_2_003FD3A0
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_003EBC50 16_2_003EBC50
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_003FC120 16_2_003FC120
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_003DE270 16_2_003DE270
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_003FC240 16_2_003FC240
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_004043D0 16_2_004043D0
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_00462659 16_2_00462659
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_0047869C 16_2_0047869C
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_004687A0 16_2_004687A0
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_00462888 16_2_00462888
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_003FE9A0 16_2_003FE9A0
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_00404C40 16_2_00404C40
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_00470D4D 16_2_00470D4D
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_0045CD7D 16_2_0045CD7D
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_003EADC0 16_2_003EADC0
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_00402EB0 16_2_00402EB0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Code function: String function: 00405205 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Code function: String function: 004182C0 appears 230 times
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: String function: 00395BC3 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: String function: 0045B7F5 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: String function: 0045B7BE appears 52 times
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: String function: 0045B753 appears 198 times
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: String function: 0045B787 appears 114 times
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: String function: 00384285 appears 88 times
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: String function: 00460C46 appears 31 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_003AC0B9 __EH_prolog3_GS,ShowWindow,ShowWindow,NtdllDefWindowProc_W,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW, 16_2_003AC0B9
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_00390558 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W, 16_2_00390558
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_003ACC2E __EH_prolog3,GetWindowDC,NtdllDefWindowProc_W,SetWindowLongW,DeleteDC, 16_2_003ACC2E
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_00394E43 NtdllDefWindowProc_W, 16_2_00394E43
PE file contains executable resources (Code or Archives)
Source: Setup.exe Static PE information: Resource name: EXE type: PE32 executable (console) Intel 80386, for MS Windows
Source: Setup.exe Static PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: Setup.exe Static PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: Setup.exe Static PE information: Resource name: EXE type: Microsoft Cabinet archive data, 2366 bytes, 3 files
Source: DpInst.exe.4.dr Static PE information: Resource name: RT_STRING type: COM executable for DOS
Source: DpInst.exe0.4.dr Static PE information: Resource name: RT_STRING type: COM executable for DOS
PE file does not import any functions
Source: 1033.dll.16.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: Setup.exe, 00000000.00000000.397564451.0000000003D85000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameresA990.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.394875681.0000000003619000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameresA8EE.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.395942226.0000000003893000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameresA929.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.397257181.0000000003BC0000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameresA96C.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.397311625.0000000003C1B000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameresA970.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.403320737.0000000004EF8000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameres1FB4.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.395354503.00000000036CF000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameresA8F6.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.397603782.0000000003DE0000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameresA9A3.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.403212112.0000000004E9E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameres1FB0.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.397041045.0000000003AAF000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameresA950.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.402762623.0000000004C23000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameres1F75.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.397161617.0000000003B65000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameresA968.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.395416571.000000000372A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameresA909.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.396848996.0000000003A55000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameresA94C.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.401795284.0000000004842000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameres1F1A.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.396602963.00000000039FC000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameresA948.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.402448700.0000000004A5F000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameres1F51.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.402404220.0000000004A05000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameres1F4D.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.395876045.0000000003838000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameresA915.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.402222245.0000000004951000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameres1F36.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.402573549.0000000004B13000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameres1F69.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.402168220.00000000048F6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameres1F32.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.396140123.00000000038EE000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameresA92D.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.397101404.0000000003B0A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameresA964.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.396545760.00000000039A2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameresA935.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.401504419.000000000478D000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameres1F12.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.394723346.00000000035BE000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameresA8EA.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.397369950.0000000003C76000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameresA984.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.401097433.00000000046D7000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameres1EFA.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.402884981.0000000004CD9000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameres1F8C.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.401725846.00000000047E7000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameres1F16.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.402719446.0000000004BC8000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameres1F71.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.403149031.0000000004E43000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameres1FAC.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.394642517.000000000354D000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameDisplayLinkIDD.exeJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.400269093.0000000004621000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameres1EF2.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.397740984.0000000003E95000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameresA9AB.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.397513008.0000000003D2B000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameresA98C.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.402673872.0000000004B6E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameres1F6D.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.399807278.00000000045B1000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameDisplayLinkIDD.exeJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameresA9AF.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameDecoder.dllF vs Setup.exe
Source: Setup.exe, 00000000.00000000.402805488.0000000004C7E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameres1F88.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.395137577.0000000003674000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameresA8F2.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.402490235.0000000004AB8000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameres1F55.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.403040455.0000000004DE8000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameres1FA8.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.402993984.0000000004D8E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameres1F94.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.401963591.000000000489B000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameres1F2E.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.400582528.000000000467C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameres1EF6.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.395476245.0000000003784000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameresA90D.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.401299181.0000000004732000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameres1F0E.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.395670432.00000000037DF000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameresA911.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.397695554.0000000003E3B000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameresA9A7.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.396343095.0000000003949000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameresA931.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.397428372.0000000003CD0000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameresA988.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.402935636.0000000004D33000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameres1F90.tmpJ vs Setup.exe
Source: Setup.exe, 00000000.00000000.402305408.00000000049AC000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameres1F3A.tmpJ vs Setup.exe
Source: Setup.exe Binary or memory string: OriginalFilename7z.sfx.exe, vs Setup.exe
PE file contains strange resources
Source: Setup.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Setup.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: additional.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DLC3A4.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DLC3A4.tmp.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DpInst.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DpInst.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DpInst.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DpInst.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DpInst.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DpInst.exe0.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DpInst.exe0.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DpInst.exe0.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DpInst.exe0.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DpInst.exe0.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DisplayLinkCore64.dat.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DisplayLinkCore.dat.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1033.dll.16.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Section loaded: davhlpr.dllole32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Section loaded: lpk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Creates driver files
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlusbaudio.sys Jump to behavior
Source: Setup.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Setup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe" -y -o"C:\Users\user\AppData\Local\Temp\DL2.tmp\
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe DLC3A4.exe /exelang 1033 ALLOW64BIT=Yes DL_PROMOTE_STORE_APP=Yes DL_PRODUCT_NAME="DisplayLink Graphics" DL_BRANDING_UPGRADE_CODE="{78A36ACD-80D5-490f-B4C4-83D7FCC08391}" DL_BRANDING_PRODUCT_CODE="{08DDE00A-EEEA-416E-9E61-B9085D542140}" DL_BRANDING_CAB="C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCABA.tmp" DL_BRANDING_NEW_DEVICE_ACTIVITY=mirror DL_ID_USBDRIVER_PATH="C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64" DL_HOTDESK_SERVICE="No" DL_INSTALL_ANALYTICS=Yes DL_TEMP_DIR="C:\Users\user\AppData\Local\Temp\DL2.tmp\" /lv "C:\Users\user\AppData\Local\Temp\DLC335A.LOG"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A63054042D1C239EA3B02585E95E450D C
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding A71763BA0B19F12D058A5205CCDD4884 C
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe" -y -o"C:\Users\user\AppData\Local\Temp\DL2.tmp\ Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe DLC3A4.exe /exelang 1033 ALLOW64BIT=Yes DL_PROMOTE_STORE_APP=Yes DL_PRODUCT_NAME="DisplayLink Graphics" DL_BRANDING_UPGRADE_CODE="{78A36ACD-80D5-490f-B4C4-83D7FCC08391}" DL_BRANDING_PRODUCT_CODE="{08DDE00A-EEEA-416E-9E61-B9085D542140}" DL_BRANDING_CAB="C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCABA.tmp" DL_BRANDING_NEW_DEVICE_ACTIVITY=mirror DL_ID_USBDRIVER_PATH="C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64" DL_HOTDESK_SERVICE="No" DL_INSTALL_ANALYTICS=Yes DL_TEMP_DIR="C:\Users\user\AppData\Local\Temp\DL2.tmp\" /lv "C:\Users\user\AppData\Local\Temp\DLC335A.LOG" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A63054042D1C239EA3B02585E95E450D C Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding A71763BA0B19F12D058A5205CCDD4884 C Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\DLS07D4.log Jump to behavior
Source: classification engine Classification label: clean6.winEXE@11/123@0/0
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_0041B2EA GetDiskFreeSpaceExW, 16_2_0041B2EA
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_003F67C0 FormatMessageW,GetLastError, 16_2_003F67C0
Source: C:\Users\user\Desktop\Setup.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\DisplayLinkSetupPrevInstanceDetector
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3572:120:WilError_01
Source: Setup.exe String found in binary or memory: @@AAAAAAAAAAAAAAAAAAAAAL28CPxQI0YkGYZlxQ6iJWrOffRuz1SwtZ0fHJLxsH/u@@@@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSBos7TAxWxwixehqRJv8mo05B9etbfGjii4Z49KfHI+Q==@@DLUSBAUDIODLCDCNCMDL-USBNET-NCMadditional.exe -y -o@@AAAAAAAAAAAAAAAAAAAAAB22Hr0gH0JIrzLXlfKGd51DOroTEZAmxe2eNdSAtBxz@@x64DLIDUSBx86Windows7Windows8.1W2K8R2W2K12W2K12R2-productionNIVOWindows10DisplayLinkCore.datDisplayLinkCore64.datUSB\VID_17E9&PID_%x,&pid=DisplayLinkDriverSwapServiceSetDefaultDllDirectorieskernel32.dllDLSInstall DisplayLink GraphicsSetupnorebootnoAutomaticUpdateCheckssuppressUpToDateInfosilentstageDriversignoreCompatibilitydisableInstallCompleteNotificationuninstalloverrideOsLimitmupLogFileextractAsDriverArguments: KB2533623 not detected and installer defaulted to using insecure library loading during its execution. See Microsoft security advisory 2269637 and Microsoft update: https://support.microsoft.com/en-us/help/2533623/DisplayLink Setup is already runningPrevious version: Not installedPrevious versionUpdate versionUninstalling software...Uninstallation finished with success: YesExtracting drivers failed.USB driver does not embed Core installer. Unable to stage drivers.Extracting drivers.&productId=http://www.displaylink.com/support/installcomplete.php?version=Restart required for installation to finish.Installation completed successfully.Installation failed. != @@AAAAAAAAAAAAAAAAAAAAALzZGcUlxt9Bl4iepFdB+YI=@@@@AAAAAAAAAAAAAAAAAAAAAIy8+Cf55znbXGQu4x8bbJhVZe7LPH4vx38WbwA23g2FXJICmP3Efz1PfijxQ35+BQ==@@@@AAAAAAAAAAAAAAAAAAAAAJdG3vWoMW+81Sxh8ZeZXcXYjemjSU2rciryzWrGCSXRWGx6nUiF2UNbCZmmD7+wdg==@@@@AAAAAAAAAAAAAAAAAAAAAOCLjRcTGrvpkAzT95lGwXU=@@@@AAAAAAAAAAAAAAAAAAAAAENH67wl126q0VxC5VcII5S8/p/ML5YMI3hpkjIJZiQ8+3jxefYkciusBVXSXag92g==@@\VarFileInfo\Translation@@AAAAAAAAAAAAAAAAAAAAALMm1tB7/fbSJngrdNPZTy0=@@@@AAAAAAAAAAAAAAAAAAAAAENH67wl126q0VxC5VcII5SIrfn0agufqQYuDFDHTxjDIVdFsruxWsnhaWwRjfxcR71t8DTnFwoDqN22EDBhyko=@@\StringFileInfo\%04hX%04hX\%s@@AAAAAAAAAAAAAAAAAAAAACCR+vH+fde75ruK7q3jSLo=@@@@AAAAAAAAAAAAAAAAAAAAAENH67wl126q0VxC5VcII5SIrfn0agufqQYuDFDHTxjDpkydJ304yOkE1nBaziHXbw==@@DriverStoreFileRepository\@@AAAAAAAAAAAAAAAAAAAAAHzIysQ+4PNkUCXjt7Aa09I4kdL/wTxvuJYRS26pFoefyFAuDG6m92tueNBo90TcMg==@@@@AAAAAAAAAAAAAAAAAAAAABK8T69D96w72B4KKbdWCMsuC5WKWvvm0pQD1n7J37FT@@ProductVersion@@AAAAAAAAAAAAAAAAAAAAAGHfjp2rlzz0oKWiYOfFpeM=@@@@AAAAAAAAAAAAAAAAAAAAADNbZws8ULb6hXNHTxxpjklEWwYIjC7NiggOGhkd146mKtCp+OvMcEGEJWFks2o9/mgOoqDbXUPQfNwQf7UxLwk=@@@@AAAAAAAAAAAAAAAAAAAAACYuIg2ANPkdDeJ5WTruE2Q=@@@@AAAAAAAAAAAAAAAAAAAAACYuIg2ANPkdDeJ5WTruE2Q=@@@@AAAAAAAAAAAAAAAAAAAAAJEl96fKbWReI3tHq9spsLoAj5nd/mssM5h6uJ73yATK/dWK+1c8SpLDWWS4o8X5zg==@@@@AAAAAAAAAAAAAAAAAAAAAF6pfBaJaLAwHGF246qQi0U=@@@@AAAAAAAAAAAAAAAAAAAAANz/lQEEGf8cHjbO+Zpkt9v5/VAGSuOUpaq++fTXhvWwxvVjD//SQScX1OfzQx0NcY/MZvuvRCDI0l+XttrRy31N2kvC7aQ/hotOziyAJSsfPe/wP0/JGQZ5vtg3D7BEXQ==@@\sysWOW64nivoco.dllCompanyNameProductNameProvider@@AAAAAAAAAAAAAAAAAAAAAKhMw0A02VE4olEewoR6ze/cdHzgyaxgTzEZ1sBxbd1S@@DriverVer@@AAAAAAAAAAAAAAAAAAAAAFgHRJCSSmm
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Automated click: Accept
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Automated click: Accept
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Automated click: Next >
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Setup.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Setup.exe Static file information: File size 79416048 > 1048576
Source: Setup.exe Static PE information: certificate valid
Source: Setup.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x165600
Source: Setup.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x49eec00
Source: Setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Setup.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\jenkins\workspace\SW_PROD_release_10.2_01-devel\nivo\bin\x64\CoreInstallerHelper.pdb7 source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\ResourceCleaner.pdb source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: C:\wrk\tlprj\_ToriLogic\Products\TL-USBNET\_main\bin\Release_660\Win32\tl-usbnet.pdb source: dl-usbnet-ncm.sys.4.dr
Source: Binary string: D:\jenkins\workspace\SW_PROD_release_10.2_01-devel\nivo\bin\Win32\dlidusb3\dlidusb3.pdbGCTL source: additional.exe, 00000004.00000003.505808440.0000000002440000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\tempFiles.pdb source: DLC3A4.exe, 00000010.00000003.647681466.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000003.648295325.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.680780745.00000000052D0000.00000002.00000001.00040000.00000014.sdmp, DLC3A4.exe, 00000010.00000003.672305509.0000000003B6C000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.678066911.0000000003B6C000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdb source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: D:\jenkins\workspace\SW_PROD_release_10.2_01-devel\nivo\bin\Win32\Setup.pdb source: Setup.exe
Source: Binary string: D:\jenkins\workspace\SW_PROD_release_10.2_01-devel\nivo\bin\x64\DisplayLinkUsbCo2.pdb source: additional.exe, 00000004.00000003.488606399.0000000000710000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: VDESTnivoco.dllnivoco.pdbnivolib.dlllibusb0.dlldrivers\libusb0.sysnivousb.dlldrivers\nivousbport.sysngadisp.dlldrivers\ngaport.sysnewnhamgadisp.dlldrivers\newnhamgaport.sysnmirror.dlldrivers\nmirror.sysdrivers\nmirrorport.sysnewnhammirrordisp.dlldrivers\newnhammirrorport.sysnmdrv.dlldrivers\nmport.sysibdisp.dlldrivers\ibport.sysnewnhamusb.dllnewnhamusbco.dlldrivers\newnhamusbport.sysDisplayLinkGAdisp.dlldrivers\DisplayLinkGAport.sysDisplayLinkmirrordisp.dlldrivers\DisplayLinkmirrorport.sysdrivers\DisplayLinkUsbPort*.sysdrivers\DisplayLinkUsbIo*.sysdrivers\DisplayLinkFilter.sysdrivers\UMDF\dlidusb.dlldrivers\UMDF\dlidusb2.dlldrivers\UMDF\dlidusb3.dlldlidcore.dlldrivers\dlkmd.sysdrivers\dlkmdldr.sysDisplayLinkusb.dllDisplayLinkUsbCo*.dlldrivers\ebusbus.sysdrivers\ebuswh95.sysdrivers\ebuswhnt.sysdrivers\ebuswh.sysdrivers\dlcdbus.sysdrivers\dlcdwhnt.sysdrivers\dlcdwh.sysdrivers\dlcdcecm.sysdrivers\dlcdcncm*.sysdrivers\dl-usbnet-ncm.sysdrivers\dlusbaudio.sysdrivers\dlusbaudio_x64.sysDLTmmB.dlldlumd9.dlldlumd10.dlldlumd11.dlldrivers\UMDF\ella-dock-release.spkgdrivers\UMDF\ridge-dock-release.spkgdrivers\UMDF\firefly-monitor-release.spkgdrivers\dlxrusbaudio_x64.sysdrivers\DisplayLinkXRUsbIo_x64*.sysDisplayLinkHotDeskServiceDisplayLinkDriverSwapService source: additional.exe, 00000004.00000003.488606399.0000000000710000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\jenkins\workspace\SW_PROD_release_10.2_01-devel\nivo\bin\x64\CoreInstallerHelper.pdb source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: DpInst.pdbH source: additional.exe, 00000004.00000003.486713848.0000000002440000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: DLC3A4.exe, 00000010.00000003.669738195.0000000003C42000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp, MSI2AF1.tmp.16.dr
Source: Binary string: nivoco.dllnivoco.pdbnivolib.dlllibusb0.dlldrivers\libusb0.sysnivousb.dlldrivers\nivousbport.sysngadisp.dlldrivers\ngaport.sysnewnhamgadisp.dlldrivers\newnhamgaport.sysnmirror.dlldrivers\nmirror.sysdrivers\nmirrorport.sysnewnhammirrordisp.dlldrivers\newnhammirrorport.sysnmdrv.dlldrivers\nmport.sysibdisp.dlldrivers\ibport.sysnewnhamusb.dllnewnhamusbco.dlldrivers\newnhamusbport.sysDisplayLinkGAdisp.dlldrivers\DisplayLinkGAport.sysDisplayLinkmirrordisp.dlldrivers\DisplayLinkmirrorport.sysdrivers\DisplayLinkUsbPort*.sysdrivers\DisplayLinkUsbIo*.sysdrivers\DisplayLinkFilter.sysdlumd32.dlldlumd64.dlldrivers\UMDF\dlidusb.dlldrivers\UMDF\dlidusb2.dlldrivers\UMDF\dlidusb3.dlldlidcore.dlldrivers\dlkmd.sysdrivers\dlkmdldr.sysDisplayLinkusb.dllDisplayLinkUsbCo*.dlldrivers\ebusbus.sysdrivers\ebuswh95.sysdrivers\ebuswhnt.sysdrivers\ebuswh.sysdrivers\dlcdbus.sysdrivers\dlcdwhnt.sysdrivers\dlcdwh.sysdrivers\dlcdcecm.sysdrivers\dlcdcncm*.sysdrivers\dl-usbnet-ncm.sysdrivers\dlusbaudio.sysdrivers\dlusbaudio_x64.sysDLTmmB.dlldlumd9.dlldlumd10.dlldlumd11.dlldrivers\UMDF\ella-dock-release.spkgdrivers\UMDF\ridge-dock-release.spkgdrivers\UMDF\firefly-monitor-release.spkgdrivers\dlxrusbaudio_x64.sysdrivers\DisplayLinkXRUsbIo_x64*.sys@@AAAAAAAAAAAAAAAAAAAAAHY+Kvs1uxFtdTKe2lhUNyFtdbrGegS7rfhDfPuGrggE@@@@AAAAAAAAAAAAAAAAAAAAAMZzznyrmIJFsrO9g5Y1Msu9KKJoYFaArulb25hktfpmWSPp1quvgQeTXwZPHDwCRA==@@ != [options]Utility to clean DisplayLink (DL) files, devices & registryCleaner@/ source: DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: D:\jenkins\workspace\SW_PROD_release_10.2_01-devel\nivo\bin\x64\Cleaner.pdb source: DLC3A4.exe, 00000010.00000002.682694119.0000000005BB9000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb+ source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdbV source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp
Source: Binary string: D:\jenkins\workspace\SW_PROD_release_10.2_01-devel\nivo\bin\Win32\dlidusb3\dlidusb3.pdb source: additional.exe, 00000004.00000003.505808440.0000000002440000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: nivoco.pdbnivolib.dlllibusb0.dlldrivers\libusb0.sysnivousb.dlldrivers\nivousbport.sysngadisp.dlldrivers\ngaport.sysnewnhamgadisp.dlldrivers\newnhamgaport.sysnmirror.dlldrivers\nmirror.sysdrivers\nmirrorport.sysnewnhammirrordisp.dlldrivers\newnhammirrorport.sysnmdrv.dlldrivers\nmport.sysibdisp.dlldrivers\ibport.sysnewnhamusb.dllnewnhamusbco.dlldrivers\newnhamusbport.sysDisplayLinkGAdisp.dlldrivers\DisplayLinkGAport.sysDisplayLinkmirrordisp.dlldrivers\DisplayLinkmirrorport.sysdrivers\DisplayLinkUsbPort*.sysdrivers\DisplayLinkUsbIo*.sysdrivers\DisplayLinkFilter.sysdlumd32.dlldlumd64.dlldrivers\UMDF\dlidusb.dlldrivers\UMDF\dlidusb2.dlldrivers\UMDF\dlidusb3.dlldlidcore.dlldrivers\dlkmd.sysdrivers\dlkmdldr.sysDisplayLinkusb.dllDisplayLinkUsbCo*.dlldrivers\ebusbus.sysdrivers\ebuswh95.sysdrivers\ebuswhnt.sysdrivers\ebuswh.sysdrivers\dlcdbus.sysdrivers\dlcdwhnt.sysdrivers\dlcdwh.sysdrivers\dlcdcecm.sysdrivers\dlcdcncm*.sysdrivers\dl-usbnet-ncm.sysdrivers\dlusbaudio.sysdrivers\dlusbaudio_x64.sysDLTmmB.dlldlumd9.dlldlumd10.dlldlumd11.dlldrivers\UMDF\ella-dock-release.spkgdrivers\UMDF\ridge-dock-release.spkgdrivers\UMDF\firefly-monitor-release.spkgdrivers\dlxrusbaudio_x64.sysdrivers\DisplayLinkXRUsbIo_x64*.sysDisplayLinkServiceDisplayLinkHotDeskServicedlcdbus*dlcdbus.inf@@AAAAAAAAAAAAAAAAAAAAAPpGvikHf5mNZlsQaCNCPkIGU5u8BVHntQojx3P+hXHW@@@@AAAAAAAAAAAAAAAAAAAAAJdG3vWoMW+81Sxh8ZeZXcXYjemjSU2rciryzWrGCSXRPLzwnsCb08l4uQSL+jhwWw==@@@@AAAAAAAAAAAAAAAAAAAAAPweJT05ojnr/jXzcoTSx0Seq2EjqCx90in8dAyCTacHOosE/PFC5CiL8/J7/ugYF5fCedArAWMh0ls8BM/pDfkv8W+WVCzLUHJIBL/N2izk@@@@AAAAAAAAAAAAAAAAAAAAAJuhqpMNkiPwegXT8cRng3S8rMdNkdRBGxlMEDDT6T0c@@@@AAAAAAAAAAAAAAAAAAAAAPzVBxtd9Ubh5XdDbs2L40E=@@@@AAAAAAAAAAAAAAAAAAAAAHXzPCwOmlVZ7xNZBYd5JNQ=@@@@AAAAAAAAAAAAAAAAAAAAAF8VehuQapGK/SBl6B1S5rygXSueRgumXc30JBiQkGfO77nTs/6OuWbxkpAL5b0gntpQVvq8VueiHbd2NS/GKR4=@@@@AAAAAAAAAAAAAAAAAAAAAHt0rh4ewNlME0SQsuNX7+f8Z0+w1TKvcqJtPL51DIcISNsIgP5ozcRsI2U04v+YvuuyxcJXpFfUA/6IoLxdXwE=@@@@AAAAAAAAAAAAAAAAAAAAAPYO/HFN3kObzM8ljOjb1bhnLhcNT10dioatkJc4i2+hRK5GEw7Nad/YNjJzo+lEsA==@@@@AAAAAAAAAAAAAAAAAAAAAF8VehuQapGK/SBl6B1S5rygXSueRgumXc30JBiQkGfO77nTs/6OuWbxkpAL5b0gnqtEl9CpCJbX1lQJcsR9tXI=@@@@AAAAAAAAAAAAAAAAAAAAANyplArlD6cVpvmahwIbxVdIyFt2vkAZTJk3rVOtGYwp7+FuziTtX5gj3G/ejlPfaw==@@\ProgramData\DisplayLink\Windows\Temp\DisplayLinkDisplayLink Graphics@@AAAAAAAAAAAAAAAAAAAAAD/ih0bdnTHqBR3dzE3FlrF28VyBMOdCPu3iObG1aE3i@@@@AAAAAAAAAAAAAAAAAAAAAHUgYq0gM3I1R5VIEiA+CdW7hwXBfGK7hQttUVT39Pa1@@CLSID\{9F550240-0FCA-443D-B5E9-23ACB47F62E2}SOFTWARE\Classes\CLSID\{9F550240-0FCA-443D-B5E9-23ACB47F62E2}Software\DisplayLink\FirmwareBranding@@AAAAAAAAAAAAAAAAAAAAALX7VMnI07lgL2xQfpbf75SVnULMcDb09JnpvOQIxnXDNAL8j5xkO0FWaHEAl7D+ZsfzMFs/fdnUkP4kSHoMbmM=@@Software\DisplayLink Persistent Settings@@AAAAAAAAAAAAAAAAAAAAAPN0S0vDqM+gWKsezx58hETKyHhPeWMyb0eKB5rOi8x+@@@@AAAAAAAAAAAAAAAAAAAAAEioYsD9hiuyFvfn0It6lh6pBv8Gcl5uKeGfzRR1Rth/@@@@AAAAAAAAAAAAAAAAAAAAAGDnLFQ/VgZ3sE8TJZIMA0mFHorhnMf37dbY8gA3NHdy@@@@AAAAAAAAAAAAAAAAAAAAAFHCS3rVEmhYkcuzB1dW
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: Setup.exe, 00000000.00000000.394336162.0000000003398000.00000002.00000001.01000000.00000003.sdmp, Setup.exe, 00000000.00000000.397785196.0000000003EF0000.00000002.00000001.01000000.00000003.sdmp, DLC3A4.exe, DLC3A4.exe, 00000010.00000002.676601313.00000000004A7000.00000002.00000001.01000000.00000007.sdmp, DLC3A4.exe, 00000010.00000000.575990996.00000000004A7000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: DpInst.pdb source: additional.exe, 00000004.00000003.486713848.0000000002440000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Dnivoco.pdbnivolib.dlllibusb0.dlldrivers\libusb0.sysnivousb.dlldrivers\nivousbport.sysngadisp.dlldrivers\ngaport.sysnewnhamgadisp.dlldrivers\newnhamgaport.sysnmirror.dlldrivers\nmirror.sysdrivers\nmirrorport.sysnewnhammirrordisp.dlldrivers\newnhammirrorport.sysnmdrv.dlldrivers\nmport.sysibdisp.dlldrivers\ibport.sysnewnhamusb.dllnewnhamusbco.dlldrivers\newnhamusbport.sysDisplayLinkGAdisp.dlldrivers\DisplayLinkGAport.sysDisplayLinkmirrordisp.dlldrivers\DisplayLinkmirrorport.sysdrivers\DisplayLinkUsbPort*.sysdrivers\DisplayLinkUsbIo*.sysdrivers\DisplayLinkFilter.sysdlumd32.dlldlumd64.dlldrivers\UMDF\dlidusb.dlldrivers\UMDF\dlidusb2.dlldrivers\UMDF\dlidusb3.dlldlidcore.dlldrivers\dlkmd.sysdrivers\dlkmdldr.sysDisplayLinkusb.dllDisplayLinkUsbCo*.dlldrivers\ebusbus.sysdrivers\ebuswh95.sysdrivers\ebuswhnt.sysdrivers\ebuswh.sysdrivers\dlcdbus.sysdrivers\dlcdwhnt.sysdrivers\dlcdwh.sysdrivers\dlcdcecm.sysdrivers\dlcdcncm*.sysdrivers\dl-usbnet-ncm.sysdrivers\dlusbaudio.sysdrivers\dlusbaudio_x64.sysDLTmmB.dlldlumd9.dlldlumd10.dlldlumd11.dlldrivers\UMDF\ella-dock-release.spkgdrivers\UMDF\ridge-dock-release.spkgdrivers\UMDF\firefly-monitor-release.spkgdrivers\dlxrusbaudio_x64.sysdrivers\DisplayLinkXRUsbIo_x64*.sysDisplayLinkServiceDisplayLinkHotDeskServicedlcdbus*dlcdbus.inf@@AAAAAAAAAAAAAAAAAAAAAPpGvikHf5mNZlsQaCNCPkIGU5u8BVHntQojx3P+hXHW@@@@AAAAAAAAAAAAAAAAAAAAAJdG3vWoMW+81Sxh8ZeZXcXYjemjSU2rciryzWrGCSXRPLzwnsCb08l4uQSL+jhwWw==@@@@AAAAAAAAAAAAAAAAAAAAAPweJT05ojnr/jXzcoTSx0Seq2EjqCx90in8dAyCTacHOosE/PFC5CiL8/J7/ugYF5fCedArAWMh0ls8BM/pDfkv8W+WVCzLUHJIBL/N2izk@@@@AAAAAAAAAAAAAAAAAAAAAJuhqpMNkiPwegXT8cRng3S8rMdNkdRBGxlMEDDT6T0c@@@@AAAAAAAAAAAAAAAAAAAAAPzVBxtd9Ubh5XdDbs2L40E=@@@@AAAAAAAAAAAAAAAAAAAAAHXzPCwOmlVZ7xNZBYd5JNQ=@@@@AAAAAAAAAAAAAAAAAAAAAF8VehuQapGK/SBl6B1S5rygXSueRgumXc30JBiQkGfO77nTs/6OuWbxkpAL5b0gntpQVvq8VueiHbd2NS/GKR4=@@@@AAAAAAAAAAAAAAAAAAAAAHt0rh4ewNlME0SQsuNX7+f8Z0+w1TKvcqJtPL51DIcISNsIgP5ozcRsI2U04v+YvuuyxcJXpFfUA/6IoLxdXwE=@@@@AAAAAAAAAAAAAAAAAAAAAPYO/HFN3kObzM8ljOjb1bhnLhcNT10dioatkJc4i2+hRK5GEw7Nad/YNjJzo+lEsA==@@@@AAAAAAAAAAAAAAAAAAAAAF8VehuQapGK/SBl6B1S5rygXSueRgumXc30JBiQkGfO77nTs/6OuWbxkpAL5b0gnqtEl9CpCJbX1lQJcsR9tXI=@@@@AAAAAAAAAAAAAAAAAAAAANyplArlD6cVpvmahwIbxVdIyFt2vkAZTJk3rVOtGYwp7+FuziTtX5gj3G/ejlPfaw==@@\ProgramData\DisplayLink\Windows\Temp\DisplayLinkDisplayLink Graphics@@AAAAAAAAAAAAAAAAAAAAAD/ih0bdnTHqBR3dzE3FlrF28VyBMOdCPu3iObG1aE3i@@@@AAAAAAAAAAAAAAAAAAAAAHUgYq0gM3I1R5VIEiA+CdW7hwXBfGK7hQttUVT39Pa1@@CLSID\{9F550240-0FCA-443D-B5E9-23ACB47F62E2}SOFTWARE\Classes\CLSID\{9F550240-0FCA-443D-B5E9-23ACB47F62E2}Software\DisplayLink\FirmwareBranding@@AAAAAAAAAAAAAAAAAAAAALX7VMnI07lgL2xQfpbf75SVnULMcDb09JnpvOQIxnXDNAL8j5xkO0FWaHEAl7D+ZsfzMFs/fdnUkP4kSHoMbmM=@@Software\DisplayLink Persistent Settings@@AAAAAAAAAAAAAAAAAAAAAPN0S0vDqM+gWKsezx58hETKyHhPeWMyb0eKB5rOi8x+@@@@AAAAAAAAAAAAAAAAAAAAAEioYsD9hiuyFvfn0It6lh6pBv8Gcl5uKeGfzRR1Rth/@@@@AAAAAAAAAAAAAAAAAAAAAGDnLFQ/VgZ3sE8TJZIMA0mFHorhnMf37dbY8gA3NHdy@@@@AAAAAAAAAAAAAAAAAAAAAFHCS3rVEmhYkcuzB1d
Source: Setup.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Setup.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Setup.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Setup.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Setup.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Code function: 4_2_004182C0 push eax; ret 4_2_004182DE
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_003D0713 push ecx; mov dword ptr [esp], 3F800000h 16_2_003D077B
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_00388AD8 push ecx; mov dword ptr [esp], ecx 16_2_00388ADA
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_00388AD8 push ecx; mov dword ptr [esp], ecx 16_2_00388B52
PE file contains sections with non-standard names
Source: DisplayLinkUsbCo64.dll.4.dr Static PE information: section name: _RDATA
Source: dlidusb.dll.4.dr Static PE information: section name: .didat
Source: dlidusb.dll.4.dr Static PE information: section name: _RDATA
Source: dlidusb2.dll.4.dr Static PE information: section name: .didat
Source: dlidusb2.dll.4.dr Static PE information: section name: _RDATA
Source: dlidusb3.dll.4.dr Static PE information: section name: .didat
Source: dlidusb3.dll.4.dr Static PE information: section name: _RDATA
Source: dlidusb.dll0.4.dr Static PE information: section name: .didat
Source: dlidusb2.dll0.4.dr Static PE information: section name: .didat
Source: dlidusb3.dll0.4.dr Static PE information: section name: .didat
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_003F68D0 LoadLibraryW,GetProcAddress,FreeLibrary, 16_2_003F68D0
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\tempFiles.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCDCNCM\dlcdcncm62_x64.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\lzmaextractor.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dlidusb2.dll Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DisplayLinkUsbIo_x64.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dlidusb3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dlusbaudio.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\Prereq.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File created: C:\Users\user\AppData\Local\Temp\MSI2DB2.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL-USBNET-NCM\x86\dl-usbnet-ncm.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File created: C:\Users\user\AppData\Local\Temp\MSI2C59.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DisplayLinkCore.dat Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlidusb3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL-USBNET-NCM\x64\dl-usbnet-ncm.sys Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlusbaudio_x64.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File created: C:\Users\user\AppData\Local\Temp\MSI4D75.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\FileOperations.dll Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dl-usbnet-ncm.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File created: C:\Users\user\AppData\Local\Temp\MSI28CD.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\PowerShellScriptLauncher.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DPINST32\DpInst.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCDCNCM\dlcdcncm62.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLUSBAUDIO\dlusbaudio.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File created: C:\Users\user\AppData\Local\Temp\MSI345A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File created: C:\Users\user\AppData\Local\Temp\MSI2707.tmp Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dl-usbnet-ncm.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File created: C:\Users\user\AppData\Local\Temp\MSI23B9.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File created: C:\Users\user\AppData\Local\Temp\MSI2AF1.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DisplayLinkCore64.dat Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File created: C:\Users\user\AppData\Local\Temp\{312AEE13-2735-4088-B726-C3CA64D81215}\1033.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File created: C:\Users\user\AppData\Local\Temp\MSI257F.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DisplayLinkUsbIo.sys Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dlusbaudio_x64.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlidusb2.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\aicustact.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DisplayLinkUsbCo64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File created: C:\Users\user\AppData\Local\Temp\MSI4A86.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dlidusb.dll Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlusbaudio.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlidusb.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File created: C:\Users\user\AppData\Local\Temp\MSI206C.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File created: C:\Users\user\AppData\Local\Temp\MSI414C.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File created: C:\Users\user\AppData\Local\Temp\MSI38DF.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DPINST64\DpInst.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLUSBAUDIO\dlusbaudio_x64.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File created: C:\Users\user\AppData\Local\Temp\{312AEE13-2735-4088-B726-C3CA64D81215}\decoder.dll Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\cl_6709.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File created: C:\Users\user\AppData\Local\Temp\shi1E77.tmp Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File created: C:\Users\user\AppData\Local\Temp\MSI4852.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DisplayLinkUsbCo2.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File created: C:\Users\user\AppData\Local\Temp\MSI98D7.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI345A.tmp Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dl-usbnet-ncm.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\tempFiles.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCDCNCM\dlcdcncm62_x64.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\lzmaextractor.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dlidusb2.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2AF1.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DisplayLinkCore64.dat Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI257F.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{312AEE13-2735-4088-B726-C3CA64D81215}\1033.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DisplayLinkUsbIo_x64.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dlidusb3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DisplayLinkUsbIo.sys Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dlusbaudio_x64.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlidusb2.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\aicustact.dll Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dlusbaudio.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\Prereq.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DisplayLinkUsbCo64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4A86.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dlidusb.dll Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlusbaudio.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlidusb.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL-USBNET-NCM\x86\dl-usbnet-ncm.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2C59.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DisplayLinkCore.dat Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI38DF.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlidusb3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DPINST64\DpInst.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL-USBNET-NCM\x64\dl-usbnet-ncm.sys Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlusbaudio_x64.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\FileOperations.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4D75.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLUSBAUDIO\dlusbaudio_x64.sys Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\cl_6709.exe Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x86\dl-usbnet-ncm.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\PowerShellScriptLauncher.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi1E77.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DPINST32\DpInst.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4852.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCDCNCM\dlcdcncm62.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLUSBAUDIO\dlusbaudio.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\NIVO\DisplayLinkUsbCo2.dll Jump to dropped file
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Memory allocated: 71A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_003DAE83 __EH_prolog3_GS,GetProcAddress,GetCurrentProcess,GetProcAddress,GetNativeSystemInfo,GetSystemInfo, 16_2_003DAE83
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Code function: 4_2_00406FF9 __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA, 4_2_00406FF9
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_00414085 FindFirstFileW,FindClose,CloseHandle,CloseHandle, 16_2_00414085
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_003FA310 FindFirstFileW,GetLastError,FindClose, 16_2_003FA310
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_00414B3A FindFirstFileW,FindClose, 16_2_00414B3A
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_004083C7 __EH_prolog3_GS,FindFirstFileW,FindClose, 16_2_004083C7
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_0041C5A8 FindFirstFileW,FindClose, 16_2_0041C5A8
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_0041A78C __EH_prolog3_GS,_wcslen,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 16_2_0041A78C
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_0042697F FindFirstFileW,FindNextFileW,_wcsrchr,_wcsrchr,_wcsrchr,FindNextFileW,FindClose,FindClose,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindClose,FindClose, 16_2_0042697F
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_0041AA08 __EH_prolog3_GS,FindFirstFileW,FindClose, 16_2_0041AA08
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File Volume queried: C:\Users\user\AppData\Local\Temp\{312AEE13-2735-4088-B726-C3CA64D81215} FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File Volume queried: C:\Users\user\AppData\Local\Temp\{312AEE13-2735-4088-B726-C3CA64D81215} FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File Volume queried: C:\Users\user\AppData\Local\Temp\{312AEE13-2735-4088-B726-C3CA64D81215}\4D81215 FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: Setup.exe Binary or memory string: @@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol7xl7cbFWwatvt6+z1M3EsccPxgQVpMx6NsmMF7wBrOhU=@@
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp Binary or memory string: @@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol7NPOPrgKLC8b7UjWzM80E98VTy+htvcxDuEsjTG71bqo=@@
Source: DLC3A4.exe, 00000010.00000003.672155660.0000000003BA7000.00000004.00000800.00020000.00000000.sdmp, DLC3A4.exe, 00000010.00000002.678169218.0000000003BC6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.Q
Source: DLC3A4.exe, 00000010.00000003.669738195.0000000003C42000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ERSAuthenticated UsersAUGRP_EVERYONEEveryoneWDUSR_ANONYMOUSAnonymousANUSR_NETWORK_SERVICENetwork ServiceNSGRP_ACCOUNT_OPSAccount OperatorsAOGRP_SERVER_OPSServer OperatorsSOGRP_PRINT_OPSPrint OperatorsPOGRP_BACKUP_OPSBackup OperatorsBOGRP_CRYPTO_OPSCryptographic OperatorsCYGRP_IIS_USERSIIS_IUSRSISGRP_ADMINISTRATORSAdministratorsGRP_USERSUsersGRP_GUESTSGuestsGRP_POWER_USERSPower UsersGRP_REPLICATORReplicatorGRP_RAS_SERVERSRAS and IAS ServersGRP_PREW2KCOMPACCESSPre-Windows 2000 Compatible AccessGRP_REMOTE_DESKTOP_USERSRemote Desktop UsersGRP_NETWORK_CONFIGURATION_OPSNetwork Configuration OperatorsGRP_RID_INCOMING_FOREST_TRUST_BUILDERSIncoming Forest Trust BuildersGRP_MONITORING_USERSPerformance Monitor UsersGRP_LOGGING_USERSPerformance Log UsersGRP_DCOM_USERSDistributed COM UsersGRP_EVENT_LOG_READERSEvent Log ReadersGRP_TS_LICENSE_SERVERSTerminal Server License ServersGRP_AUTHORIZATION_ACCESSWindows Authorization Access GroupGRP_CERTSVC_DCOM_ACCESSCertificate Service DCOM AccessGRP_HYPER_V_ADMINISTRATORSHyper-V AdministratorsS-1-5-32-578GRP_ACCESS_CONTROL_ASSISTANCE_OPSAccess Control Assistance OperatorsS-1-5-32-579GRP_REMOTE_MANAGEMENT_USERSRemote Management UsersS-1-5-32-580GRP_SYSTEM_MANAGED_ACCOUNTSSystem Managed Accounts GroupS-1-5-32-581Getting localized credentials and storing them in properties...LookupUserGroupFromRid failedLookupUserGroupFromRidSDDL failedLookupAliasFromRid failedLookupUserGroupFromSid failedLookupAliasFromRid:Target empty, so account name translation begins on the local system.LookupAccountSidW returned AllocateAndInitializeSid failed and returned LookupUserGroupFromRidSDDL:ConvertStringSidToSid successful!ConvertStringSidToSid failed!Freeing sid..Freeing sid done.LookupUserGroupFromRid:NetUserModalsGet will use empty target computer name.NetUserModalsGet failed with:subAuthorityCount:Initialized Sid successfullyCopying subauthorities...Copying subauthorities done.Appending Rid to new Sid...Appending Rid to new Sid done.resolving for SID: Failed to allocate memory for pSid.Freeing buffers..Buffers freed.LookupUserGroupFromSid:ConvertStringSidToSid succeeded!Freeing sid...Closing window AI_CLOSEAPP_WINDOW_FLAGSProcess32FirstWProcess32NextWCreateToolhelp32SnapshotStoppedAI_PROCESS_STATERunningkernel32.dllAI_SERVICE_STATEStartedNot FoundAI_SERVICES_LISTServicesActiveAI_LOGON_AS_SERVICE_ACCOUNTSResolveServicePropertiesResolveServiceProperties start.ResolveServiceProperties end.AI_SetLogOnAsServiceaction starting ...Get the user accounts list ...CustomActionData: LSA open policy return code: SeServiceLogonRightSetting <Log on as a service> policy ...Getting user account SID ...User: lookup account name error: user NOT found!SID value: SID type: Setting security policy for this account ...LSA add account rights return code: LSA close policy ...action completed.AiStyleConditionsOriginalDatabaseAI_DISABLED_FEATURESSELECT `Cabinet` FROM `Media` WHERE `Media`.`Cabinet`='SELECT * FROM `Condition` WHERE `Condition`.`Feature_`='' .cab
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp Binary or memory string: DL.Compatibility.InstallationInsideVirtualMachine
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp Binary or memory string: @@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol7i8Txv+xGyie0tfG4u8vyGFPy11ZhlnBDwDKYyzA7OFAfr5NC9DoUDk2I4kcHTxOc@@
Source: additional.exe, 00000004.00000003.505808440.0000000002440000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: @@AAAAAAAAAAAAAAAAAAAAAO62tnNDQPMGj8Ubyc7NJXI4U9fxLVrIngnhBYSmwdtZSQemuRwTngPG80H9sRm83Q==@@
Source: Setup.exe Binary or memory string: VmCI"
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp Binary or memory string: @@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol7xl7cbFWwatvt6+z1M3EscX5//CpWHMWqdB8JAvfv8lo=@@
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp Binary or memory string: @@AAAAAAAAAAAAAAAAAAAAAKvyBEkNGVvl8QFKut8DVWU=@@@@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol79zud105n+f8rkaSGH0kWBPTufQU28sW1ZeJsOriuyXF/VBn+qwvwRn9kUKWCQ2by@@errorLiwarningLi</a>" target="_new"><a href=""><li class="<p></p></li><ul></ul>
Source: Setup.exe Binary or memory string: @@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol7xl7cbFWwatvt6+z1M3EsccPxgQVpMx6NsmMF7wBrOhU=@@@@AAAAAAAAAAAAAAAAAAAAAHq67FWq3Z1COkL1ffhDgq8kDF6sJoubZeH49A9CJ4iJ@@@@AAAAAAAAAAAAAAAAAAAAACEZ/54HYFLU3Q8iO3x9LETntCnXMIkW69biLd/ViE0fAM3YlHEPIe2/X+itnTmj4SIl+y3k0LsExtUth5TN+4w=@@@@AAAAAAAAAAAAAAAAAAAAACEZ/54HYFLU3Q8iO3x9LETntCnXMIkW69biLd/ViE0fTu8EvJB3z5K0y1QVpJ4/DF/40wns2SIdsTdKKJ9UO0E=@@@@AAAAAAAAAAAAAAAAAAAAACEZ/54HYFLU3Q8iO3x9LETntCnXMIkW69biLd/ViE0fTu8EvJB3z5K0y1QVpJ4/DPmXvGvb6eYaBhEwizVpEZcDWIlYVKV0rTFzosamobQ5@@@@AAAAAAAAAAAAAAAAAAAAAHfAwsCX7mA7i8LsWwqjnE8=@@@@AAAAAAAAAAAAAAAAAAAAADJ+JbJ5tLfaXKpTglbEDRA=@@@@AAAAAAAAAAAAAAAAAAAAAKz5YMst2ZgAmLDuTk68a0bRaJM+5tSYZkU36/1NXh0m@@dl::tk::gui::resource::OpenURL@@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUTMmaTa+Yapk3JRzEzwW1fb+2EBmu9psugsgpyDoZrpBDUvmDSL45TvGABG4KD/z08=@@
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp Binary or memory string: @@AAAAAAAAAAAAAAAAAAAAADNv+tueGQXc7/c9BOtz8iM=@@@@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol7RLS+TyQ62KVEn7VccLsXfNexYPY83KxXYjCJ4jVa6Bu0/XiTvxej2F3BzkBp2PRC@@@@AAAAAAAAAAAAAAAAAAAAAAcSShTcJyt/gC0myC2tMaOqXStVUNU58LMy8jWf/0qM@@@@AAAAAAAAAAAAAAAAAAAAAE9VxOlA7W+OcOLL+aOb0kg=@@@@AAAAAAAAAAAAAAAAAAAAAFwqzilxVnj9bfiLbh4t4oOXM1tBAGG3I17otC7nwXZbFmFdFZJZ61K973gBWT86aA==@@@@AAAAAAAAAAAAAAAAAAAAAClhEC5wPNAk4ukprbs9b3DlhbnNR8p72R1A6zFdQ0H/SUGOAi54Xzbr8BX2GgN7vw==@@@@AAAAAAAAAAAAAAAAAAAAAC2cZcmcRbKAWIRaE5JsdYo34XEDm+URbP8Km+RHKrLd@@@@AAAAAAAAAAAAAAAAAAAAAAlgsxaaS1IFrm/eREw+6a7zASEUJWdPQBdcPeD4b4Sx@@@@AAAAAAAAAAAAAAAAAAAAAFRoquLXVjiE5A7LBu4L2BVYywKHEMYrEyuczFF47WXJSWDe0PhmxwM4yRueexm8zri9rj9KK73mqzEXElh0CqE=@@@@AAAAAAAAAAAAAAAAAAAAAAC7yiCVnFN2sv9m0OJxAkstGRrYdghSJdoD7R0Bi3ct@@@@AAAAAAAAAAAAAAAAAAAAAOredRPZS1x6+SY3v07ylmE=@@@@AAAAAAAAAAAAAAAAAAAAAC6uOeRSPjkZ2UkmRWXj+FMei8/sHI6ozx6ZFCckX1foZOjve6bwprJ5xOhbZsWLMw==@@@@AAAAAAAAAAAAAAAAAAAAAKpEFWlWA4ZK87Ue+qnHF32FEMAYrdmijM1t4WmiUGSz@@Option to disable compatibility checks@@AAAAAAAAAAAAAAAAAAAAAPj1mtTACg5QrDlRsKUNU52WbkYMSg0HMUg7owoPXsS6@@@@AAAAAAAAAAAAAAAAAAAAAAEMb80KNARQxCpsJY0NVAICcryamELO/7pu7XZKe3LC85TeiGPtWbh2demkAAA4bQ==@@E
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp Binary or memory string: @@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol7RLS+TyQ62KVEn7VccLsXfNexYPY83KxXYjCJ4jVa6BstbzBICdJp0GCDsFZMbDAS@@
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp Binary or memory string: @@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol7i8Txv+xGyie0tfG4u8vyGFPy11ZhlnBDwDKYyzA7OFAfr5NC9DoUDk2I4kcHTxOc@@@@AAAAAAAAAAAAAAAAAAAAAHYJ48K1mt8xeeLKJM5UyX2n7yiqUO0V6cm/pvqda6AD96ry97X29Z+toj/fufLc9Q==@@@@AAAAAAAAAAAAAAAAAAAAAJ5Jp1LRcLNfCQy5rrcw6ruL9jRsZqfTWlfaZNUpoPAK4PK1OhJmPYVlIdR6T5085FIzVf0o6QAVvByOuM6hB0gyi+ENzroW+9X0/dCna9ld@@\[\[([^|]+)\|([^|]+)\]\]link][%Y.%m.%d-%H:%M:%S# DisplayLink Compatibility Check ver. started on Attempt to access an uninitialzed boost::match_results<> class.
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp Binary or memory string: @@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol7RLS+TyQ62KVEn7VccLsXfNexYPY83KxXYjCJ4jVa6BuQ5scgoS9XwI9B3rplRRhR@@
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp Binary or memory string: @@AAAAAAAAAAAAAAAAAAAAAAxaNO3uCRyPawQECZInOUA=@@@@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol7RLS+TyQ62KVEn7VccLsXfNexYPY83KxXYjCJ4jVa6BuQ5scgoS9XwI9B3rplRRhR@@@@AAAAAAAAAAAAAAAAAAAAAMTFkf7JPXggPhHVn0bwtIhEqtPMrZ3nBsS6na5kFjON@@@@AAAAAAAAAAAAAAAAAAAAAEkTAdBMkJ9r81Qs6Gcx3FE=@@@@AAAAAAAAAAAAAAAAAAAAAKQ/6SNjkniSO5sgJxtW9AK8HMlgOkwMKOsUhBUK2CAR@@@@AAAAAAAAAAAAAAAAAAAAAOlAjDXGjz0XOkYzR6jkX6W9PYgsHXnq03GI4eFaYVHy9731XvR4kfSKDWaEuGB3YgdnqeVWPv/0mDCcikBLvhE=@@@@AAAAAAAAAAAAAAAAAAAAANo1NIW5BeyN8GEP4y6qzsKTP8AKl4XVhcgLdhZvmi/Rk/Paqx57oU1mGsrbGS4p3yRwPUuWUcuNLC+owvmluwU=@@@@AAAAAAAAAAAAAAAAAAAAAPhtBg7+TjSITf20hS7KFLI=@@waitForCommandAttempt to read empty fifo in Fifo::getFirst()@@AAAAAAAAAAAAAAAAAAAAAOOWIWlICSEKB2HV8lFtDmY=@@@@AAAAAAAAAAAAAAAAAAAAABLGEK2IdFvaVmUc77m+okc=@@@@AAAAAAAAAAAAAAAAAAAAAHY+Kvs1uxFtdTKe2lhUNyGOHxA/cbagkx8/2+FNYTCVrCXPTzVVIl4TOxq8OIfUyA==@@@@AAAAAAAAAAAAAAAAAAAAAHY+Kvs1uxFtdTKe2lhUNyHel5blfNaFe44JJByT4CtpUQ/M8687vfyM8eUt6sRstQ==@@@@AAAAAAAAAAAAAAAAAAAAANBxX1CpvEyGoNV3AFmL5UiTD5Cx/tDE8GyOOq5zb+Pp@@`W
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp Binary or memory string: @@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol7RLS+TyQ62KVEn7VccLsXfNexYPY83KxXYjCJ4jVa6Bu0/XiTvxej2F3BzkBp2PRC@@
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp Binary or memory string: SoftwareIsNotRunningInsideParallelsVirtualMachine
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp Binary or memory string: @@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol79zud105n+f8rkaSGH0kWBPTufQU28sW1ZeJsOriuyXF/VBn+qwvwRn9kUKWCQ2by@@
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp Binary or memory string: @@AAAAAAAAAAAAAAAAAAAAADuDzpQ2+m4dL31nnBtrgbg=@@@@AAAAAAAAAAAAAAAAAAAAAJy+h1G0kZ86uexbRZBlpLc=@@@@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol7NPOPrgKLC8b7UjWzM80E98VTy+htvcxDuEsjTG71bqo=@@@@AAAAAAAAAAAAAAAAAAAAAPEZ6Fc9P+8syiAkIYAmECJQIHpmoF3G6CbuovvpGg6c@@@@AAAAAAAAAAAAAAAAAAAAALcbaKk+5qcXEzfIBYfy3PX5NUkLAEDQkDJf/A1nNtO70OdhjpvJTUQ1jG3YrpDj6w==@@
Source: additional.exe, 00000004.00000003.505808440.0000000002440000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: QualitySettingsDL3EncoderDisplayLinkHotDeskService@@AAAAAAAAAAAAAAAAAAAAAN55xUfYkK6pI3Rl8beTqBU=@@@@AAAAAAAAAAAAAAAAAAAAAHQc1zFeyuQ9QLqz5OsFglc=@@@@AAAAAAAAAAAAAAAAAAAAAGK+B+OF3/sUFx+KIFT5j9Y=@@@@AAAAAAAAAAAAAAAAAAAAABi97xOWShrPX0ZbYE0Ggd4=@@@@AAAAAAAAAAAAAAAAAAAAAKbniD7+hHIMXDW9+eD1TsE=@@@@AAAAAAAAAAAAAAAAAAAAADH4HhP0DqLD0yv9nusTIww=@@@@AAAAAAAAAAAAAAAAAAAAAM+MWSAUvw40JvrtyIAGTCg=@@@@AAAAAAAAAAAAAAAAAAAAAEDxi3NiAUx3AcpeCA/fWTgBOBZg2DOKSBUyP2lEaeBH@@@@AAAAAAAAAAAAAAAAAAAAAA6rLwRMbmCzN5c12ITMmpplnjKf/ByMyrPWTQGuxw2OxnO/PqDQ0UKpI5NHlG7YLw==@@@@AAAAAAAAAAAAAAAAAAAAAIJd6s+IeK9efEyCi1KYIeViexWcfE+ARFscvWCYvf9Z@@@@AAAAAAAAAAAAAAAAAAAAAIJd6s+IeK9efEyCi1KYIeVJRu00+V7YH6HF37724rR/qb9nLnaCMeUikIncgjXfhgHrDtyoOXByev0K/adZMV0=@@@@AAAAAAAAAAAAAAAAAAAAAIJd6s+IeK9efEyCi1KYIeVfRNo27APPXwtyWwYISi/0@@@@AAAAAAAAAAAAAAAAAAAAAO62tnNDQPMGj8Ubyc7NJXI4U9fxLVrIngnhBYSmwdtZSQemuRwTngPG80H9sRm83Q==@@@@AAAAAAAAAAAAAAAAAAAAAO62tnNDQPMGj8Ubyc7NJXK3Ed/JSoZ9jAtyEV2WTArl5IWT0g+3kcTAQWCk6If91Jsm3udWuhgNMdTFBwnq1uo=@@@@AAAAAAAAAAAAAAAAAAAAAK57lqFR2QzEdIPUrMOq2mnyPBTaC7c+w8VRSz7nPm3rkrvlWXTySxMDqEJkyvVjQA==@@EnableGammaRampPnpSettingsPersistentDisplaysSettingsNivoSettings
Source: DLC3A4.exe, 00000010.00000002.681168882.0000000005441000.00000002.00000001.00040000.00000014.sdmp Binary or memory string: @@AAAAAAAAAAAAAAAAAAAAAKPqQPtb+aMxIp2gSNNCBOFl0SdUARAGfihEY6f2Qdmuqwf/Cgbf7YvwRDiSZ/4HCA==@@@@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol7xl7cbFWwatvt6+z1M3EsccPxgQVpMx6NsmMF7wBrOhU=@@@@AAAAAAAAAAAAAAAAAAAAAJFKBZ25a8SA3u8S3DMgxdH3KVHiTUuz+tKvF71HVRSKCKPot5XGNZNYOzN/c6wq+g==@@@@AAAAAAAAAAAAAAAAAAAAAI8RTe+drdTc5Ub5XQsDQIJ6GmowHd5xLig/54aFrHQzweN6oekMsi8xATaBPPISEw==@@@@AAAAAAAAAAAAAAAAAAAAABGDrVapLCWg9ldAtH1lq2fa6rnwfZEVBWJTjCOTAn7e53q5VIsEul7UkfcJF1mbMQ==@@@@AAAAAAAAAAAAAAAAAAAAANCmbM+PlSTAN8d9pWwnCNfgFYcKWBi5JCpFYaHVmwSIsKogoSKp8LgnLcJ8vE5CaQ==@@@@AAAAAAAAAAAAAAAAAAAAAIZOigoYZChaXBECyLGNWBcrDsnf1lr7D3NdkaIJDFIHa5BhapHlEL/+ZUMGmJNz/g==@@@@AAAAAAAAAAAAAAAAAAAAALZy2/xdzSM8kYf5lu0Zh+Un1D7sKs+QG0MgbgY0V7sg@@@@AAAAAAAAAAAAAAAAAAAAAF1E3dbyAcyjyY9C73HCgUz8pBXsLPEIF81RxfRRsQqV@@@@AAAAAAAAAAAAAAAAAAAAABCNRPSS67p9ExzzotQQDG9JKkc69PMdoj4QyS+zpAhE@@@@AAAAAAAAAAAAAAAAAAAAAD0j0bDu/lS33rTTb2OtBRemBc3zmjreZipsDbHkgYa2INJPu1oorUVeMGjelfSqMw==@@@@AAAAAAAAAAAAAAAAAAAAAHWSxUQDy+4KmZaI5sPEuDkcyWirJRHM/b/E+Mr/RgTnqyn3FVzDgwZZtQiY2yEGBg==@@dxgkrnl@@AAAAAAAAAAAAAAAAAAAAAHyZlQ63AlCZwkmQXFehpc4=@@@@AAAAAAAAAAAAAAAAAAAAAPmY6+i6nm8Ou1zsdpXf0FA=@@@@AAAAAAAAAAAAAAAAAAAAAPOX0xGsPzfflTkLxbWWglg=@@@@AAAAAAAAAAAAAAAAAAAAAEUFTjPsnaGYIYX3F96P7fE=@@@@AAAAAAAAAAAAAAAAAAAAAAaYsfJ7G6MjhlOICtIqYi8K9aOt/BJ+rN6rTxEg65AJ@@@@AAAAAAAAAAAAAAAAAAAAAHq67FWq3Z1COkL1ffhDgq8kDF6sJoubZeH49A9CJ4iJ@@@@AAAAAAAAAAAAAAAAAAAAACEZ/54HYFLU3Q8iO3x9LETntCnXMIkW69biLd/ViE0fAM3YlHEPIe2/X+itnTmj4SIl+y3k0LsExtUth5TN+4w=@@@@AAAAAAAAAAAAAAAAAAAAACEZ/54HYFLU3Q8iO3x9LETntCnXMIkW69biLd/ViE0fTu8EvJB3z5K0y1QVpJ4/DF/40wns2SIdsTdKKJ9UO0E=@@@@AAAAAAAAAAAAAAAAAAAAACEZ/54HYFLU3Q8iO3x9LETntCnXMIkW69biLd/ViE0fTu8EvJB3z5K0y1QVpJ4/DPmXvGvb6eYaBhEwizVpEZcDWIlYVKV0rTFzosamobQ5@@unknown@@AAAAAAAAAAAAAAAAAAAAAAr2NAS6qBB9NrT8MZ0MRr9cLQyl/QFbjimar8XC0ALD@@@@AAAAAAAAAAAAAAAAAAAAAJzWK3OJnIJNSD18PyGQmUSSiBUnhGFSP+bgEssXYol7RLS+TyQ62KVEn7VccLsXfNexYPY83KxXYjCJ4jVa6BstbzBICdJp0GCDsFZMbDAS@@@@AAAAAAAAAAAAAAAAAAAAAAS/crofChVJwquEFhlQt1ZOvcxpyEBHESXynDFPmQcU@@@@AAAAAAAAAAAAAAAAAAAAADateW5vUVLORn4r/BAtHl6xSSnGcb5Ftg1GFzp6Ah7H@@@@AAAAAAAAAAAAAAAAAAAAAFzlTx0tAmt+RxBPC5HdN7U=@@@@AAAAAAAAAAAAAAAAAAAAAFbfcJYCpgC8OYD2ei5ebhQ=@@abcabcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq#}"4
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_00460A1C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_00460A1C
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_003F68D0 LoadLibraryW,GetProcAddress,FreeLibrary, 16_2_003F68D0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_00457EAE GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree, 16_2_00457EAE
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_003A0287 __set_se_translator,SetUnhandledExceptionFilter, 16_2_003A0287
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_00460A1C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_00460A1C
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe DLC3A4.exe /exelang 1033 ALLOW64BIT=Yes DL_PROMOTE_STORE_APP=Yes DL_PRODUCT_NAME="DisplayLink Graphics" DL_BRANDING_UPGRADE_CODE="{78A36ACD-80D5-490f-B4C4-83D7FCC08391}" DL_BRANDING_PRODUCT_CODE="{08DDE00A-EEEA-416E-9E61-B9085D542140}" DL_BRANDING_CAB="C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCABA.tmp" DL_BRANDING_NEW_DEVICE_ACTIVITY=mirror DL_ID_USBDRIVER_PATH="C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64" DL_HOTDESK_SERVICE="No" DL_INSTALL_ANALYTICS=Yes DL_TEMP_DIR="C:\Users\user\AppData\Local\Temp\DL2.tmp\" /lv "C:\Users\user\AppData\Local\Temp\DLC335A.LOG"
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe DLC3A4.exe /exelang 1033 ALLOW64BIT=Yes DL_PROMOTE_STORE_APP=Yes DL_PRODUCT_NAME="DisplayLink Graphics" DL_BRANDING_UPGRADE_CODE="{78A36ACD-80D5-490f-B4C4-83D7FCC08391}" DL_BRANDING_PRODUCT_CODE="{08DDE00A-EEEA-416E-9E61-B9085D542140}" DL_BRANDING_CAB="C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCABA.tmp" DL_BRANDING_NEW_DEVICE_ACTIVITY=mirror DL_ID_USBDRIVER_PATH="C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64" DL_HOTDESK_SERVICE="No" DL_INSTALL_ANALYTICS=Yes DL_TEMP_DIR="C:\Users\user\AppData\Local\Temp\DL2.tmp\" /lv "C:\Users\user\AppData\Local\Temp\DLC335A.LOG" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\dialogBackgroundGray.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\dialogBackground.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\dlImageButton.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\publicSoftwareBanner.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioPending.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioDoing.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioWaiting.gif VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioWaiting.gif VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioDone.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioPending.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioDoing.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioWaiting.gif VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioWaiting.gif VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioDone.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioPending.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioDoing.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioWaiting.gif VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioWaiting.gif VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioDone.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioPending.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioDoing.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioWaiting.gif VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioWaiting.gif VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\radioDone.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\dialogBackgroundGray.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\dialogBackground.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\dlImageButton.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6084\publicSoftwareBanner.bmp VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: GetLocaleInfoW, 16_2_004740B6
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: EnumSystemLocalesW, 16_2_0047415F
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: EnumSystemLocalesW, 16_2_004741AA
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: EnumSystemLocalesW, 16_2_00474245
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 16_2_004742D2
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: GetLocaleInfoW, 16_2_004702A4
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: GetLocaleInfoW, 16_2_00474522
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 16_2_0047464B
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: GetLocaleInfoW, 16_2_00474752
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 16_2_0047481F
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_0045AB63 cpuid 16_2_0045AB63
Source: C:\Users\user\Desktop\Setup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_00423C28 __EH_prolog3,CreateNamedPipeW,CreateFileW, 16_2_00423C28
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLC3A4.exe Code function: 16_2_0047030E GetSystemTimeAsFileTime, 16_2_0047030E
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe Code function: 4_2_00403F64 __EH_prolog,GetVersionExA, 4_2_00403F64
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 612091 Sample: Setup.exe Startdate: 20/04/2022 Architecture: WINDOWS Score: 6 6 Setup.exe 1 23 2->6         started        9 msiexec.exe 2->9         started        file3 22 C:\Users\user\AppData\...\additional.exe, PE32 6->22 dropped 24 C:\Users\user\AppData\...\dlusbaudio_x64.sys, PE32+ 6->24 dropped 26 C:\Users\user\AppData\...\dlusbaudio.sys, PE32 6->26 dropped 28 6 other files (none is malicious) 6->28 dropped 11 DLC3A4.exe 110 6->11         started        14 additional.exe 79 6->14         started        16 msiexec.exe 1 8 9->16         started        18 msiexec.exe 2 9->18         started        process4 file5 30 C:\Users\user\AppData\Local\...\decoder.dll, PE32 11->30 dropped 32 C:\Users\user\AppData\Local\Temp\...\1033.dll, PE32 11->32 dropped 34 C:\Users\user\AppData\Local\...\shi1E77.tmp, PE32+ 11->34 dropped 44 21 other files (none is malicious) 11->44 dropped 36 C:\Users\user\...\DisplayLinkUsbIo_x64.sys, PE32+ 14->36 dropped 38 C:\Users\user\...\DisplayLinkUsbIo.sys, PE32 14->38 dropped 40 C:\Users\user\...\DisplayLinkUsbCo64.dll, PE32+ 14->40 dropped 46 17 other files (none is malicious) 14->46 dropped 20 conhost.exe 14->20         started        42 C:\Users\user\AppData\Local\...\cl_6709.exe, PE32+ 16->42 dropped process6
No contacted IP infos