Edit tour

Windows Analysis Report
Boku no Hero Academia 6th Season - Episode 13.exe

Overview

General Information

Sample Name:	Boku no Hero Academia 6th Season - Episode 13.exe
Analysis ID:	776910
MD5:	71eabe2172181c2e4517c30c22cb6d12
SHA1:	caaa052ae05d6032d8361e61fa22a686c6b5a392
SHA256:	147e1b5a750fbfd8863449d523e3d6d110defceb74ad9cdb7c939ab75ffa2180
Infos:

Detection

Score:	26
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Compliance

Score:	36
Range:	0 - 100

Signatures

Uses cmd line tools excessively to alter registry or file data

Obfuscated command line found

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Drops PE files to the application program directory (C:\ProgramData)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Deletes files inside the Windows folder

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Creates processes with suspicious names

Found dropped PE file which has not been started or loaded

Uses the system / local time for branch decision (may execute only at specific dates)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

Is looking for software installed on the system

PE file does not import any functions

DLL planting / hijacking vulnerabilities found

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Found evasive API chain checking for process token information

Binary contains a suspicious time stamp

Uses reg.exe to modify the Windows registry

Checks for available system drives (often done to infect USB drives)

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample searches for specific file, try point organization specific fake files to the analysis machine

Process Tree

System is w10x64

Boku no Hero Academia 6th Season - Episode 13.exe (PID: 5216 cmdline: C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe MD5: 71EABE2172181C2E4517C30C22CB6D12)

Boku no Hero Academia 6th Season - Episode 13.tmp (PID: 5512 cmdline: "C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp" /SL5="$30408,24635135,780800,C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe" MD5: F16A37D7AF3DB8C75F19AF9B3453D9C8)

Boku no Hero Academia 6th Season - Episode 13.exe (PID: 5204 cmdline: "C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe" /SILENT MD5: 71EABE2172181C2E4517C30C22CB6D12)

Boku no Hero Academia 6th Season - Episode 13.tmp (PID: 2632 cmdline: "C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp" /SL5="$2040C,24635135,780800,C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe" /SILENT MD5: F16A37D7AF3DB8C75F19AF9B3453D9C8)

VC_redist.x64.exe (PID: 1972 cmdline: "C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe" /install /quiet MD5: 703BD677778F2A1BA1EB4338BAC3B868)

VC_redist.x64.exe (PID: 5372 cmdline: "C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe" -burn.filehandle.attached=588 -burn.filehandle.self=628 /install /quiet MD5: 848DA6B57CB8ACC151A8D64D15BA383D)

VC_redist.x64.exe (PID: 5468 cmdline: "C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{E9871BE9-995B-4EFF-BA27-126D1FC36700} {ED4F63C9-39F6-4A7D-A76D-4B8F059F42ED} 5372 MD5: 848DA6B57CB8ACC151A8D64D15BA383D)

VC_redist.x64.exe (PID: 5280 cmdline: "C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=1008 -burn.embedded BurnPipe.{652D427C-3FCF-4F57-9B0A-0FFBCA2578FC} {CF7111B3-FF83-47BF-A56D-0E99B89A84C1} 5468 MD5: CAA6E1DCAE648CE17BC57A5B7D383CC8)

VC_redist.x64.exe (PID: 2140 cmdline: "C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=564 -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=1008 -burn.embedded BurnPipe.{652D427C-3FCF-4F57-9B0A-0FFBCA2578FC} {CF7111B3-FF83-47BF-A56D-0E99B89A84C1} 5468 MD5: CAA6E1DCAE648CE17BC57A5B7D383CC8)

VC_redist.x64.exe (PID: 4548 cmdline: "C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{DC57C196-DCD2-4148-818F-F83AAF0E5C46} {63FE371D-956D-4D2B-988F-00929D1EE668} 2140 MD5: CAA6E1DCAE648CE17BC57A5B7D383CC8)

InstallExtension.exe (PID: 1580 cmdline: "C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe" install MD5: 6B435C6EA00DA06603EA9927D489AB6A)

cmd.exe (PID: 5816 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\WindowsApp\chrome.bat" " MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5912 cmdline: schtasks.exe /Create /XML "C:\Users\user\AppData\Local\WindowsApp\reg.xml" /tn GoogleUpdate MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

cmd.exe (PID: 5928 cmdline: C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\WindowsApp\reg.bat" install MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6036 cmdline: schtasks.exe /Create /XML "C:\Users\user\AppData\Local\WindowsApp\reg.xml" /tn GoogleUpdate MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

msiexec.exe (PID: 1092 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

VC_redist.x64.exe (PID: 1272 cmdline: "C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe" /burn.runonce MD5: 848DA6B57CB8ACC151A8D64D15BA383D)

VC_redist.x64.exe (PID: 4668 cmdline: "C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe" /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\dd_vcredist_amd64_20230102153454.log" /install MD5: 848DA6B57CB8ACC151A8D64D15BA383D)

VC_redist.x64.exe (PID: 3732 cmdline: "C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe" -burn.filehandle.attached=588 -burn.filehandle.self=564 /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\dd_vcredist_amd64_20230102153454.log" /install MD5: 848DA6B57CB8ACC151A8D64D15BA383D)

VC_redist.x64.exe (PID: 1324 cmdline: "C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{9F679354-B01C-4132-8C3B-9D0B8BAD9686} {7ADE5D70-631D-453D-B602-70E5C1B36EAF} 3732 MD5: 848DA6B57CB8ACC151A8D64D15BA383D)

VC_redist.x64.exe (PID: 4544 cmdline: "C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=900 -burn.embedded BurnPipe.{8ADE75BE-8C64-4D11-B05A-A6C78AECD63F} {6EE058D7-D097-43E8-87F0-A357D97D5238} 1324 MD5: CAA6E1DCAE648CE17BC57A5B7D383CC8)

VC_redist.x64.exe (PID: 4008 cmdline: "C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -burn.filehandle.attached=576 -burn.filehandle.self=572 -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=900 -burn.embedded BurnPipe.{8ADE75BE-8C64-4D11-B05A-A6C78AECD63F} {6EE058D7-D097-43E8-87F0-A357D97D5238} 1324 MD5: CAA6E1DCAE648CE17BC57A5B7D383CC8)

InstallExtension.exe (PID: 5852 cmdline: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe MD5: 6B435C6EA00DA06603EA9927D489AB6A)

cmd.exe (PID: 6092 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\WindowsApp\chrome.bat" " MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

reg.exe (PID: 5392 cmdline: REG DELETE HKLM\SOFTWARE\Policies\Google\Chrome /f MD5: E3DACF0B31841FA02064B4457D44B357)

reg.exe (PID: 4396 cmdline: REG DELETE HKLM\SOFTWARE\Google\Chrome\Extensions\dbffglanhdhedkjkijpkplhpcdndpchj /f MD5: E3DACF0B31841FA02064B4457D44B357)

reg.exe (PID: 5428 cmdline: REG DELETE HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\dbffglanhdhedkjkijpkplhpcdndpchj /f MD5: E3DACF0B31841FA02064B4457D44B357)

reg.exe (PID: 5416 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "1" /t REG_SZ /d dbffglanhdhedkjkijpkplhpcdndpchj /f MD5: E3DACF0B31841FA02064B4457D44B357)

reg.exe (PID: 2040 cmdline: REG ADD "HKLM\SOFTWARE\Google\Chrome\Extensions\dbffglanhdhedkjkijpkplhpcdndpchj" /v "path" /t REG_SZ /d "C:\Users\user\AppData\Local\WindowsApp\apps-helper\apps.crx" /f MD5: E3DACF0B31841FA02064B4457D44B357)

reg.exe (PID: 4528 cmdline: REG ADD "HKLM\SOFTWARE\Google\Chrome\Extensions\dbffglanhdhedkjkijpkplhpcdndpchj" /v "version" /t REG_SZ /d 1.0 /f MD5: E3DACF0B31841FA02064B4457D44B357)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_00029EB7 DecryptFileW,	4_2_00029EB7
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_0004F961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	4_2_0004F961
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_00029C99 DecryptFileW,DecryptFileW,	4_2_00029C99
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000C9EB7 DecryptFileW,	5_2_000C9EB7
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000EF961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	5_2_000EF961
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000C9C99 DecryptFileW,DecryptFileW,	5_2_000C9C99

Privilege Escalation

DLL planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe	DLL: edputil.dll
Source: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe	DLL: PROPSYS.dll
Source: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe	DLL: SspiCli.dll
Source: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe	DLL: MSVCP140.dll
Source: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe	DLL: iertutil.dll
Source: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe	DLL: VCRUNTIME140_1.dll
Source: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe	DLL: urlmon.dll
Source: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe	DLL: CRYPTBASE.DLL
Source: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe	DLL: CLDAPI.dll
Source: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe	DLL: VCRUNTIME140.dll

Compliance

Uses 32bit PE files

Source: Boku no Hero Academia 6th Season - Episode 13.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

DLL planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe	DLL: edputil.dll
Source: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe	DLL: PROPSYS.dll
Source: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe	DLL: SspiCli.dll
Source: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe	DLL: MSVCP140.dll
Source: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe	DLL: iertutil.dll
Source: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe	DLL: VCRUNTIME140_1.dll
Source: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe	DLL: urlmon.dll
Source: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe	DLL: CRYPTBASE.DLL
Source: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe	DLL: CLDAPI.dll
Source: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe	DLL: VCRUNTIME140.dll

Creates a software restore point

Source: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore SRInitDone			Jump to behavior
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore SRInitDone

Creates license or readme file

Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.ba\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.ba\1028\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.ba\1029\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.ba\1031\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.ba\1036\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.ba\1040\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.ba\1041\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.ba\1042\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.ba\1045\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.ba\1046\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.ba\1049\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.ba\1055\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.ba\2052\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.ba\3082\license.rtf	Jump to behavior
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{9B8C7EDA-2539-42FC-9E66-AE939366FE45}\.ba\license.rtf
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{9B8C7EDA-2539-42FC-9E66-AE939366FE45}\.ba\1028\license.rtf
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{9B8C7EDA-2539-42FC-9E66-AE939366FE45}\.ba\1029\license.rtf
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{9B8C7EDA-2539-42FC-9E66-AE939366FE45}\.ba\1031\license.rtf
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{9B8C7EDA-2539-42FC-9E66-AE939366FE45}\.ba\1036\license.rtf
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{9B8C7EDA-2539-42FC-9E66-AE939366FE45}\.ba\1040\license.rtf
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{9B8C7EDA-2539-42FC-9E66-AE939366FE45}\.ba\1041\license.rtf
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{9B8C7EDA-2539-42FC-9E66-AE939366FE45}\.ba\1042\license.rtf
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{9B8C7EDA-2539-42FC-9E66-AE939366FE45}\.ba\1045\license.rtf
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{9B8C7EDA-2539-42FC-9E66-AE939366FE45}\.ba\1046\license.rtf
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{9B8C7EDA-2539-42FC-9E66-AE939366FE45}\.ba\1049\license.rtf
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{9B8C7EDA-2539-42FC-9E66-AE939366FE45}\.ba\1055\license.rtf
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{9B8C7EDA-2539-42FC-9E66-AE939366FE45}\.ba\2052\license.rtf
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{9B8C7EDA-2539-42FC-9E66-AE939366FE45}\.ba\3082\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{36CC976F-BDDA-47B0-BB5A-7568B395BA2A}\.ba\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{36CC976F-BDDA-47B0-BB5A-7568B395BA2A}\.ba\1028\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{36CC976F-BDDA-47B0-BB5A-7568B395BA2A}\.ba\1029\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{36CC976F-BDDA-47B0-BB5A-7568B395BA2A}\.ba\1031\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{36CC976F-BDDA-47B0-BB5A-7568B395BA2A}\.ba\1036\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{36CC976F-BDDA-47B0-BB5A-7568B395BA2A}\.ba\1040\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{36CC976F-BDDA-47B0-BB5A-7568B395BA2A}\.ba\1041\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{36CC976F-BDDA-47B0-BB5A-7568B395BA2A}\.ba\1042\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{36CC976F-BDDA-47B0-BB5A-7568B395BA2A}\.ba\1045\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{36CC976F-BDDA-47B0-BB5A-7568B395BA2A}\.ba\1046\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{36CC976F-BDDA-47B0-BB5A-7568B395BA2A}\.ba\1049\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{36CC976F-BDDA-47B0-BB5A-7568B395BA2A}\.ba\1055\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{36CC976F-BDDA-47B0-BB5A-7568B395BA2A}\.ba\2052\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{36CC976F-BDDA-47B0-BB5A-7568B395BA2A}\.ba\3082\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{7B1AA818-8405-4B0F-ACAF-0273ABC8852E}\.ba\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{7B1AA818-8405-4B0F-ACAF-0273ABC8852E}\.ba\1028\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{7B1AA818-8405-4B0F-ACAF-0273ABC8852E}\.ba\1029\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{7B1AA818-8405-4B0F-ACAF-0273ABC8852E}\.ba\1031\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{7B1AA818-8405-4B0F-ACAF-0273ABC8852E}\.ba\1036\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{7B1AA818-8405-4B0F-ACAF-0273ABC8852E}\.ba\1040\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{7B1AA818-8405-4B0F-ACAF-0273ABC8852E}\.ba\1041\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{7B1AA818-8405-4B0F-ACAF-0273ABC8852E}\.ba\1042\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{7B1AA818-8405-4B0F-ACAF-0273ABC8852E}\.ba\1045\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{7B1AA818-8405-4B0F-ACAF-0273ABC8852E}\.ba\1046\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{7B1AA818-8405-4B0F-ACAF-0273ABC8852E}\.ba\1049\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{7B1AA818-8405-4B0F-ACAF-0273ABC8852E}\.ba\1055\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{7B1AA818-8405-4B0F-ACAF-0273ABC8852E}\.ba\2052\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{7B1AA818-8405-4B0F-ACAF-0273ABC8852E}\.ba\3082\license.rtf

Creates a software uninstall entry

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF4C347D-954E-4543-88D2-EC17F07F466F}

Creates a directory in C:\Program Files

Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp

Directory created: C:\Program Files\Installer

Jump to behavior

PE / OLE file has a valid certificate

Source: Boku no Hero Academia 6th Season - Episode 13.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Boku no Hero Academia 6th Season - Episode 13.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: VC_redist.x64.exe, 00000004.00000002.377084608.000000000005B000.00000002.00000001.01000000.00000008.sdmp, VC_redist.x64.exe, 00000004.00000000.270201080.000000000005B000.00000002.00000001.01000000.00000008.sdmp, VC_redist.x64.exe, 00000005.00000000.271727251.00000000000FB000.00000002.00000001.01000000.0000000A.sdmp, VC_redist.x64.exe, 00000005.00000002.374381326.00000000000FB000.00000002.00000001.01000000.0000000A.sdmp, VC_redist.x64.exe, 00000007.00000000.285438279.0000000000EBB000.00000002.00000001.01000000.0000000D.sdmp, VC_redist.x64.exe, 00000007.00000002.368408492.0000000000EBB000.00000002.00000001.01000000.0000000D.sdmp, VC_redist.x64.exe, 00000010.00000002.324092324.0000000000C6B000.00000002.00000001.01000000.00000010.sdmp, VC_redist.x64.exe, 00000010.00000000.318798304.0000000000C6B000.00000002.00000001.01000000.00000010.sdmp, VC_redist.x64.exe, 00000011.00000002.375653352.0000000000C6B000.00000002.00000001.01000000.00000010.sdmp, VC_redist.x64.exe, 00000011.00000000.322751737.0000000000C6B000.00000002.00000001.01000000.00000010.sdmp, VC_redist.x64.exe, 00000012.00000002.373692696.0000000000C6B000.00000002.00000001.01000000.00000010.sdmp, VC_redist.x64.exe, 00000012.00000000.324242625.0000000000C6B000.00000002.00000001.01000000.00000010.sdmp, VC_redist.x64.exe, 00000013.00000002.366393157.000000000005B000.00000002.00000001.01000000.00000013.sdmp, VC_redist.x64.exe, 00000014.00000002.363516573.000000000005B000.00000002.00000001.01000000.00000013.sdmp, VC_redist.x64.exe, 00000019.00000002.371119144.0000000000C6B000.00000002.00000001.01000000.00000010.sdmp, VC_redist.x64.exe, 00000019.00000000.348409137.0000000000C6B000.00000002.00000001.01000000.00000010.sdmp, VC_redist.x64.exe, 0000001B.00000002.368331825.000000000005B000.00000002.00000001.01000000.00000013.sdmp, VC_redist.x64.exe, 0000001C.00000002.366244549.000000000005B000.00000002.00000001.01000000.00000013.sdmp, VC_redist.x64.exe, 0000001D.00000002.356595702.000000000005B000.00000002.00000001.01000000.00000013.sdmp, VC_redist.x64.exe.5.dr, VC_redist.x64.exe.7.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: msvcp140.dll.15.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\MFCM140U.amd64.pdb source: mfcm140u.dll.15.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdbGCTL source: msvcp140.dll.15.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcamp140.amd64.pdb source: vcamp140.dll.15.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\MFC140DEU.amd64.pdb source: mfc140deu.dll.15.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\MFC140ENU.amd64.pdb source: mfc140enu.dll.15.dr
Source:	Binary string: C:\Users\dsaxc\Desktop\InstallExtension\x64\Release\InstallExtension.pdb source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000003.392947585.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp, InstallExtension.exe, 0000001E.00000000.378319985.00007FF6C2DF7000.00000002.00000001.01000000.00000015.sdmp, InstallExtension.exe, 0000001E.00000002.382242447.00007FF6C2DF7000.00000002.00000001.01000000.00000015.sdmp, InstallExtension.exe, 00000022.00000000.382129606.00007FF6C2DF7000.00000002.00000001.01000000.00000015.sdmp, InstallExtension.exe, 00000022.00000002.387277253.00007FF6C2DF7000.00000002.00000001.01000000.00000015.sdmp, is-NDGJF.tmp.3.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\concrt140.amd64.pdb source: concrt140.dll.15.dr
Source:	Binary string: C:\Users\dsaxc\Desktop\InstallExtension\x64\Release\InstallExtension.pdb%% source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000003.392947585.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp, InstallExtension.exe, 0000001E.00000000.378319985.00007FF6C2DF7000.00000002.00000001.01000000.00000015.sdmp, InstallExtension.exe, 0000001E.00000002.382242447.00007FF6C2DF7000.00000002.00000001.01000000.00000015.sdmp, InstallExtension.exe, 00000022.00000000.382129606.00007FF6C2DF7000.00000002.00000001.01000000.00000015.sdmp, InstallExtension.exe, 00000022.00000002.387277253.00007FF6C2DF7000.00000002.00000001.01000000.00000015.sdmp, is-NDGJF.tmp.3.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140_atomic_wait.amd64.pdbGCTL source: msvcp140_atomic_wait.dll.15.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\WixStdBA.pdb source: wixstdba.dll.5.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140_atomic_wait.amd64.pdb source: msvcp140_atomic_wait.dll.15.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140_2.amd64.pdb source: msvcp140_2.dll.15.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\MFC140JPN.amd64.pdb source: mfc140jpn.dll.15.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcamp140.amd64.pdbGCTL source: vcamp140.dll.15.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140_2.amd64.pdbGCTL source: msvcp140_2.dll.15.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\concrt140.amd64.pdbGCTL source: concrt140.dll.15.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\WixDepCA.pdb source: vcRuntimeAdditional_x64.5.dr, 3cd711.msi.15.dr

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_00013BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	4_2_00013BC3
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_00054315 FindFirstFileW,FindClose,	4_2_00054315
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_0002993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	4_2_0002993E
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_00047A87 FindFirstFileExW,	4_2_00047A87
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000F4315 FindFirstFileW,FindClose,	5_2_000F4315
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000C993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	5_2_000C993E
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000B3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	5_2_000B3BC3
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000E7A87 FindFirstFileExW,	5_2_000E7A87

Source: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe	File opened: C:\ProgramData\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab	Jump to behavior
Source: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe	File opened: C:\ProgramData\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\NULL	Jump to behavior
Source: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe	File opened: C:\ProgramData\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\NULL	Jump to behavior
Source: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe	File opened: C:\ProgramData\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64	Jump to behavior
Source: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe	File opened: C:\ProgramData\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages	Jump to behavior
Source: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe	File opened: C:\ProgramData\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\NULL	Jump to behavior

Networking

Source: VC_redist.x64.exe	String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: VC_redist.x64.exe, 00000004.00000002.377084608.000000000005B000.00000002.00000001.01000000.00000008.sdmp, VC_redist.x64.exe, 00000004.00000000.270201080.000000000005B000.00000002.00000001.01000000.00000008.sdmp, VC_redist.x64.exe, 00000005.00000000.271727251.00000000000FB000.00000002.00000001.01000000.0000000A.sdmp, VC_redist.x64.exe, 00000005.00000002.374381326.00000000000FB000.00000002.00000001.01000000.0000000A.sdmp, VC_redist.x64.exe, 00000007.00000000.285438279.0000000000EBB000.00000002.00000001.01000000.0000000D.sdmp, VC_redist.x64.exe, 00000007.00000002.368408492.0000000000EBB000.00000002.00000001.01000000.0000000D.sdmp, VC_redist.x64.exe, 00000010.00000002.324092324.0000000000C6B000.00000002.00000001.01000000.00000010.sdmp, VC_redist.x64.exe, 00000010.00000000.318798304.0000000000C6B000.00000002.00000001.01000000.00000010.sdmp, VC_redist.x64.exe, 00000011.00000002.375653352.0000000000C6B000.00000002.00000001.01000000.00000010.sdmp, VC_redist.x64.exe, 00000011.00000000.322751737.0000000000C6B000.00000002.00000001.01000000.00000010.sdmp, VC_redist.x64.exe, 00000012.00000002.373692696.0000000000C6B000.00000002.00000001.01000000.00000010.sdmp, VC_redist.x64.exe, 00000012.00000000.324242625.0000000000C6B000.00000002.00000001.01000000.00000010.sdmp, VC_redist.x64.exe, 00000013.00000002.366393157.000000000005B000.00000002.00000001.01000000.00000013.sdmp, VC_redist.x64.exe, 00000014.00000002.363516573.000000000005B000.00000002.00000001.01000000.00000013.sdmp, VC_redist.x64.exe, 00000019.00000002.371119144.0000000000C6B000.00000002.00000001.01000000.00000010.sdmp, VC_redist.x64.exe, 00000019.00000000.348409137.0000000000C6B000.00000002.00000001.01000000.00000010.sdmp, VC_redist.x64.exe, 0000001B.00000002.368331825.000000000005B000.00000002.00000001.01000000.00000013.sdmp, VC_redist.x64.exe, 0000001C.00000002.366244549.000000000005B000.00000002.00000001.01000000.00000013.sdmp, VC_redist.x64.exe, 0000001D.00000002.356595702.000000000005B000.00000002.00000001.01000000.00000013.sdmp, VC_redist.x64.exe.5.dr, VC_redist.x64.exe.7.dr	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000002.408510272.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-NDGJF.tmp.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000002.408510272.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-NDGJF.tmp.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000002.408510272.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-NDGJF.tmp.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000002.408510272.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-NDGJF.tmp.3.dr	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000002.408510272.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-NDGJF.tmp.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000002.408510272.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-NDGJF.tmp.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000002.408510272.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-NDGJF.tmp.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000002.408510272.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-NDGJF.tmp.3.dr	String found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000002.408510272.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-NDGJF.tmp.3.dr	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000002.408510272.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-NDGJF.tmp.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000002.408510272.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-NDGJF.tmp.3.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000002.408510272.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-NDGJF.tmp.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000002.408510272.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-NDGJF.tmp.3.dr	String found in binary or memory: http://ocsps.ssl.com0
Source: VC_redist.x64.exe, 0000001C.00000003.364850644.00000000037AB000.00000004.00000800.00020000.00000000.sdmp, VC_redist.x64.exe, 0000001C.00000003.365160612.0000000003390000.00000004.00000020.00020000.00000000.sdmp, thm.xml.20.dr, thm.xml.18.dr	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: VC_redist.x64.exe, 00000012.00000002.374125705.0000000003100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010d=
Source: VC_redist.x64.exe, 00000012.00000002.374125705.0000000003100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010le
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000002.408510272.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-NDGJF.tmp.3.dr	String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
Source: Boku no Hero Academia 6th Season - Episode 13.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000001.00000003.250432231.0000000003500000.00000004.00001000.00020000.00000000.sdmp, Boku no Hero Academia 6th Season - Episode 13.exe, 00000002.00000003.410317140.0000000002304000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://smash.com
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000001.00000003.253560445.00000000025E4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://smash.com1R
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000003.407483126.00000000024F4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://smash.com1RO
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000001.00000003.253560445.00000000025E4000.00000004.00001000.00020000.00000000.sdmp, Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000003.407483126.00000000024F4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://smash.com2
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000001.00000003.253560445.00000000025E4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://smash.comiR
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000003.407483126.00000000024F4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://smash.comiRO
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000003.407001467.00000000024E6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://smashbrowser.com
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000003.408105135.0000000000A81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smashbrowser.com/welcome2.php
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000003.408105135.0000000000A81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smashbrowser.com/welcome2.php(
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000003.404958372.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp, Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000002.409480442.0000000000AEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smashbrowser.com/welcome2.php2
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000002.409374574.0000000000AC7000.00000004.00000020.00020000.00000000.sdmp, Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000003.404893356.0000000000AC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smashbrowser.com/welcome2.php8
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000003.404958372.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp, Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000002.409434366.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smashbrowser.com/welcome2.php:
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000003.408105135.0000000000A81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smashbrowser.com/welcome2.php=
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000003.407404878.00000000024ED000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://smashbrowser.com/welcome2.phpA
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000002.409693542.0000000003920000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smashbrowser.com/welcome2.phpC:
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000003.404958372.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp, Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000002.409480442.0000000000AEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smashbrowser.com/welcome2.phpJ6
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000003.404958372.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp, Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000002.409480442.0000000000AEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smashbrowser.com/welcome2.phpR
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000002.409391670.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp, Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000003.404893356.0000000000AC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smashbrowser.com/welcome2.phpVH
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000003.404958372.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp, Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000002.409434366.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smashbrowser.com/welcome2.phpb
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000003.404958372.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp, Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000002.409434366.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smashbrowser.com/welcome2.phpeewi
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000003.408105135.0000000000A81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smashbrowser.com/welcome2.phpl
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000003.404958372.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp, Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000002.409480442.0000000000AEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smashbrowser.com/welcome2.phplW7
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000002.409410186.0000000000AD5000.00000004.00000020.00020000.00000000.sdmp, Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000003.404893356.0000000000AC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smashbrowser.com/welcome2.phpoft
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000003.404958372.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp, Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000002.409480442.0000000000AEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smashbrowser.com/welcome2.phpv7
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000002.409410186.0000000000AD5000.00000004.00000020.00020000.00000000.sdmp, Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000003.404893356.0000000000AC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smashbrowser.com/welcome2.phpwEI
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000003.404958372.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp, Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000002.409480442.0000000000AEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smashbrowser.com/welcome2.php~6s
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000002.409029766.0000000000A48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://smashbrowser.com;4
Source: Boku no Hero Academia 6th Season - Episode 13.exe, 00000000.00000003.244618238.0000000002520000.00000004.00001000.00020000.00000000.sdmp, Boku no Hero Academia 6th Season - Episode 13.exe, 00000000.00000003.245016813.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp, Boku no Hero Academia 6th Season - Episode 13.tmp, 00000001.00000000.248083178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Boku no Hero Academia 6th Season - Episode 13.tmp.2.dr	String found in binary or memory: https://www.innosetup.com/
Source: Boku no Hero Academia 6th Season - Episode 13.exe, 00000000.00000003.244618238.0000000002520000.00000004.00001000.00020000.00000000.sdmp, Boku no Hero Academia 6th Season - Episode 13.exe, 00000000.00000003.245016813.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp, Boku no Hero Academia 6th Season - Episode 13.tmp, 00000001.00000000.248083178.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Boku no Hero Academia 6th Season - Episode 13.tmp.2.dr	String found in binary or memory: https://www.remobjects.com/ps
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000002.408510272.000000000018D000.00000004.00000010.00020000.00000000.sdmp, is-NDGJF.tmp.3.dr	String found in binary or memory: https://www.ssl.com/repository0

Source: unknown

DNS traffic detected: queries for: accounts.google.com

System Summary

Uses 32bit PE files

Source: Boku no Hero Academia 6th Season - Episode 13.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Deletes files inside the Windows folder

Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe

File deleted: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\3cd703.msi

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_0003C0FA	4_2_0003C0FA
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_00016184	4_2_00016184
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_0004022D	4_2_0004022D
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_0004A3B0	4_2_0004A3B0
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_00040662	4_2_00040662
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_0001A7EF	4_2_0001A7EF
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_0004A85E	4_2_0004A85E
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_0003F919	4_2_0003F919
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_000269CC	4_2_000269CC
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_00040A97	4_2_00040A97
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_00042B21	4_2_00042B21
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_0004ED4C	4_2_0004ED4C
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_00042D50	4_2_00042D50
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_0003FE15	4_2_0003FE15
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000C69CC	5_2_000C69CC
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000DC0FA	5_2_000DC0FA
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000B6184	5_2_000B6184
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000E022D	5_2_000E022D
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000EA3B0	5_2_000EA3B0
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000E0662	5_2_000E0662
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000BA7EF	5_2_000BA7EF
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000EA85E	5_2_000EA85E
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000DF919	5_2_000DF919
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000E0A97	5_2_000E0A97
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000E2B21	5_2_000E2B21
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000EED4C	5_2_000EED4C
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000E2D50	5_2_000E2D50
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000DFE15	5_2_000DFE15

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: String function: 0005061A appears 34 times
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: String function: 00011F20 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: String function: 000531C7 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: String function: 000137D3 appears 496 times
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: String function: 0005012F appears 677 times
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: String function: 000F012F appears 678 times
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: String function: 000F061A appears 34 times
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: String function: 000B1F20 appears 54 times
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: String function: 000F31C7 appears 83 times
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: String function: 000B37D3 appears 496 times

PE file contains executable resources (Code or Archives)

Source: Boku no Hero Academia 6th Season - Episode 13.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Boku no Hero Academia 6th Season - Episode 13.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

PE file does not import any functions

Source: mfc140deu.dll.15.dr	Static PE information: No import functions for PE file found
Source: mfc140rus.dll.15.dr	Static PE information: No import functions for PE file found
Source: mfc140cht.dll.15.dr	Static PE information: No import functions for PE file found
Source: mfc140jpn.dll.15.dr	Static PE information: No import functions for PE file found
Source: mfc140kor.dll.15.dr	Static PE information: No import functions for PE file found
Source: mfc140fra.dll.15.dr	Static PE information: No import functions for PE file found
Source: mfc140chs.dll.15.dr	Static PE information: No import functions for PE file found
Source: mfc140esn.dll.15.dr	Static PE information: No import functions for PE file found
Source: mfc140ita.dll.15.dr	Static PE information: No import functions for PE file found
Source: mfc140enu.dll.15.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: Boku no Hero Academia 6th Season - Episode 13.exe, 00000000.00000003.255058911.00000000022E8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs Boku no Hero Academia 6th Season - Episode 13.exe
Source: Boku no Hero Academia 6th Season - Episode 13.exe, 00000000.00000000.243931389.00000000004C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs Boku no Hero Academia 6th Season - Episode 13.exe
Source: Boku no Hero Academia 6th Season - Episode 13.exe, 00000000.00000003.244618238.0000000002520000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs Boku no Hero Academia 6th Season - Episode 13.exe
Source: Boku no Hero Academia 6th Season - Episode 13.exe, 00000000.00000003.245016813.000000007FBD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs Boku no Hero Academia 6th Season - Episode 13.exe
Source: Boku no Hero Academia 6th Season - Episode 13.exe, 00000002.00000003.410259634.00000000022D8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs Boku no Hero Academia 6th Season - Episode 13.exe
Source: Boku no Hero Academia 6th Season - Episode 13.exe	Binary or memory string: OriginalFileName vs Boku no Hero Academia 6th Season - Episode 13.exe

Tries to load missing DLLs

Source: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe	Section loaded: tsappcmp.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll

Uses reg.exe to modify the Windows registry

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe REG DELETE HKLM\SOFTWARE\Policies\Google\Chrome /f

Source: C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe

File read: C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe

Jump to behavior

Source: C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe
Source: C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe	Process created: C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp "C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp" /SL5="$30408,24635135,780800,C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe"
Source: C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Process created: C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe "C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe" /SILENT
Source: C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe	Process created: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp "C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp" /SL5="$2040C,24635135,780800,C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe" /SILENT
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe "C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe" /install /quiet
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Process created: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe "C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe" -burn.filehandle.attached=588 -burn.filehandle.self=628 /install /quiet
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Process created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe "C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{E9871BE9-995B-4EFF-BA27-126D1FC36700} {ED4F63C9-39F6-4A7D-A76D-4B8F059F42ED} 5372
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: unknown	Process created: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe" /burn.runonce
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	Process created: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe" /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\dd_vcredist_amd64_20230102153454.log" /install
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	Process created: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe" -burn.filehandle.attached=588 -burn.filehandle.self=564 /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\dd_vcredist_amd64_20230102153454.log" /install
Source: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe	Process created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=1008 -burn.embedded BurnPipe.{652D427C-3FCF-4F57-9B0A-0FFBCA2578FC} {CF7111B3-FF83-47BF-A56D-0E99B89A84C1} 5468
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Process created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=564 -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=1008 -burn.embedded BurnPipe.{652D427C-3FCF-4F57-9B0A-0FFBCA2578FC} {CF7111B3-FF83-47BF-A56D-0E99B89A84C1} 5468
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	Process created: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{9F679354-B01C-4132-8C3B-9D0B8BAD9686} {7ADE5D70-631D-453D-B602-70E5C1B36EAF} 3732
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	Process created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=900 -burn.embedded BurnPipe.{8ADE75BE-8C64-4D11-B05A-A6C78AECD63F} {6EE058D7-D097-43E8-87F0-A357D97D5238} 1324
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Process created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -burn.filehandle.attached=576 -burn.filehandle.self=572 -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=900 -burn.embedded BurnPipe.{8ADE75BE-8C64-4D11-B05A-A6C78AECD63F} {6EE058D7-D097-43E8-87F0-A357D97D5238} 1324
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Process created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{DC57C196-DCD2-4148-818F-F83AAF0E5C46} {63FE371D-956D-4D2B-988F-00929D1EE668} 2140
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Process created: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe "C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe" install
Source: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\WindowsApp\chrome.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Create /XML "C:\Users\user\AppData\Local\WindowsApp\reg.xml" /tn GoogleUpdate
Source: unknown	Process created: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\WindowsApp\reg.bat" install
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Create /XML "C:\Users\user\AppData\Local\WindowsApp\reg.xml" /tn GoogleUpdate
Source: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\WindowsApp\chrome.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG DELETE HKLM\SOFTWARE\Policies\Google\Chrome /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG DELETE HKLM\SOFTWARE\Google\Chrome\Extensions\dbffglanhdhedkjkijpkplhpcdndpchj /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG DELETE HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\dbffglanhdhedkjkijpkplhpcdndpchj /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "1" /t REG_SZ /d dbffglanhdhedkjkijpkplhpcdndpchj /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Google\Chrome\Extensions\dbffglanhdhedkjkijpkplhpcdndpchj" /v "path" /t REG_SZ /d "C:\Users\user\AppData\Local\WindowsApp\apps-helper\apps.crx" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Google\Chrome\Extensions\dbffglanhdhedkjkijpkplhpcdndpchj" /v "version" /t REG_SZ /d 1.0 /f
Source: C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe	Process created: C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp "C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp" /SL5="$30408,24635135,780800,C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Process created: C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe "C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe" /SILENT	Jump to behavior
Source: C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe	Process created: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp "C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp" /SL5="$2040C,24635135,780800,C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe" /SILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe "C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe" /install /quiet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Process created: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe "C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe" install	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\WindowsApp\reg.bat" install	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Process created: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe "C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe" -burn.filehandle.attached=588 -burn.filehandle.self=628 /install /quiet	Jump to behavior
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Process created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe "C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{E9871BE9-995B-4EFF-BA27-126D1FC36700} {ED4F63C9-39F6-4A7D-A76D-4B8F059F42ED} 5372	Jump to behavior
Source: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe	Process created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=1008 -burn.embedded BurnPipe.{652D427C-3FCF-4F57-9B0A-0FFBCA2578FC} {CF7111B3-FF83-47BF-A56D-0E99B89A84C1} 5468	Jump to behavior
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	Process created: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe" /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\dd_vcredist_amd64_20230102153454.log" /install
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	Process created: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe" -burn.filehandle.attached=588 -burn.filehandle.self=564 /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\dd_vcredist_amd64_20230102153454.log" /install
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Process created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=564 -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=1008 -burn.embedded BurnPipe.{652D427C-3FCF-4F57-9B0A-0FFBCA2578FC} {CF7111B3-FF83-47BF-A56D-0E99B89A84C1} 5468
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Process created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{DC57C196-DCD2-4148-818F-F83AAF0E5C46} {63FE371D-956D-4D2B-988F-00929D1EE668} 2140
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	Process created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=900 -burn.embedded BurnPipe.{8ADE75BE-8C64-4D11-B05A-A6C78AECD63F} {6EE058D7-D097-43E8-87F0-A357D97D5238} 1324
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Process created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -burn.filehandle.attached=576 -burn.filehandle.self=572 -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=900 -burn.embedded BurnPipe.{8ADE75BE-8C64-4D11-B05A-A6C78AECD63F} {6EE058D7-D097-43E8-87F0-A357D97D5238} 1324
Source: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\WindowsApp\chrome.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Create /XML "C:\Users\user\AppData\Local\WindowsApp\reg.xml" /tn GoogleUpdate
Source: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\WindowsApp\chrome.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Create /XML "C:\Users\user\AppData\Local\WindowsApp\reg.xml" /tn GoogleUpdate
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG DELETE HKLM\SOFTWARE\Policies\Google\Chrome /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG DELETE HKLM\SOFTWARE\Google\Chrome\Extensions\dbffglanhdhedkjkijpkplhpcdndpchj /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG DELETE HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\dbffglanhdhedkjkijpkplhpcdndpchj /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "1" /t REG_SZ /d dbffglanhdhedkjkijpkplhpcdndpchj /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Google\Chrome\Extensions\dbffglanhdhedkjkijpkplhpcdndpchj" /v "path" /t REG_SZ /d "C:\Users\user\AppData\Local\WindowsApp\apps-helper\apps.crx" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Google\Chrome\Extensions\dbffglanhdhedkjkijpkplhpcdndpchj" /v "version" /t REG_SZ /d 1.0 /f
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_000144E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		4_2_000144E9
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000B44E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		5_2_000B44E9

Source: C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe

File created: C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp

Jump to behavior

Source: classification engine

Classification label: sus26.winEXE@73/269@12/0

Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe

Code function: 4_2_00052F23 GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,

4_2_00052F23

Source: C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: vcRuntimeAdditional_x64.5.dr, 3cd711.msi.15.dr

Binary or memory string: SELECT `WixDependencyProvider`.`WixDependencyProvider`, `WixDependencyProvider`.`Component_`, `WixDependencyProvider`.`ProviderKey`, `WixDependencyProvider`.`Attributes` FROM `WixDependencyProvider`SELECT `WixDependency`.`WixDependency`, `WixDependencyProvider`.`Component_`, `WixDependency`.`ProviderKey`, `WixDependency`.`MinVersion`, `WixDependency`.`MaxVersion`, `WixDependency`.`Attributes` FROM `WixDependencyProvider`, `WixDependency`, `WixDependencyRef` WHERE `WixDependency`.`WixDependency` = `WixDependencyRef`.`WixDependency_` AND `WixDependencyProvider`.`WixDependencyProvider` = `WixDependencyRef`.`WixDependencyProvider_`WixDependencyRequireFailed to initialize.Failed to initialize the registry functions.ALLUSERSFailed to ensure required dependencies for (re)installing components.WixDependencyCheckFailed to ensure absent dependents for uninstalling components.WixDependencySkipping the dependency check since no dependencies are authored.Failed to check if the WixDependency table exists.Failed to initialize the unique dependency string list.Failed to open the query view for dependencies.Failed to get WixDependency.WixDependency.Failed to get WixDependencyProvider.Component_.Skipping dependency check for %ls because the component %ls is not being (re)installed.Failed to get WixDependency.ProviderKey.Failed to get WixDependency.MinVersion.Failed to get WixDependency.MaxVersion.Failed to get WixDependency.Attributes.Failed dependency check for %ls.Failed to enumerate all of the rows in the dependency query view.Failed to create the dependency record for message %d.Unexpected message response %d from user or bootstrapper application.Failed to get the ignored dependents.ALLFailed to check if "ALL" was set in IGNOREDEPENDENCIES.Skipping the dependencies check since IGNOREDEPENDENCIES contains "ALL".WixDependencyProviderSkipping the dependents check since no dependency providers are authored.Failed to check if the WixDependencyProvider table exists.Failed to open the query view for dependency providers.Failed to get WixDependencyProvider.WixDependencyProvider.Failed to get WixDependencyProvider.Component.Skipping dependents check for %ls because the component %ls is not being uninstalled.Failed to get WixDependencyProvider.ProviderKey.Failed to get WixDependencyProvider.Attributes.Failed dependents check for %ls.Failed to enumerate all of the rows in the dependency provider query view.;IGNOREDEPENDENCIESFailed to get the string value of the IGNOREDEPENDENCIES property.Failed to create the string dictionary.Failed to ignored dependency "%ls" to the string dictionary.wixdepca.cppNot enough memory to create the message record.Failed to set the message identifier into the message record.Failed to set the number of dependencies into the message record.The dependency "%ls" is missing or is not the required version.Found dependent "%ls", name: "%ls".Failed to set the dependency key "%ls" into the message record.Failed to set the dependency name "%ls" into

Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe

Code function: 4_2_0004FD20 FormatMessageW,GetLastError,LocalFree,

4_2_0004FD20

Source: C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe

Code function: 4_2_00036945 ChangeServiceConfigW,GetLastError,

4_2_00036945

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5844:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5872:120:WilError_01

Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp

File created: C:\Program Files\Installer

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Command line argument: cabinet.dll	4_2_00011070
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Command line argument: msi.dll	4_2_00011070
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Command line argument: version.dll	4_2_00011070
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Command line argument: wininet.dll	4_2_00011070
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Command line argument: comres.dll	4_2_00011070
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Command line argument: clbcatq.dll	4_2_00011070
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Command line argument: msasn1.dll	4_2_00011070
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Command line argument: crypt32.dll	4_2_00011070
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Command line argument: feclient.dll	4_2_00011070
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Command line argument: cabinet.dll	5_2_000B1070
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Command line argument: msi.dll	5_2_000B1070
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Command line argument: version.dll	5_2_000B1070
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Command line argument: wininet.dll	5_2_000B1070
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Command line argument: comres.dll	5_2_000B1070
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Command line argument: clbcatq.dll	5_2_000B1070
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Command line argument: msasn1.dll	5_2_000B1070
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Command line argument: crypt32.dll	5_2_000B1070
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Command line argument: feclient.dll	5_2_000B1070

Source: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\WindowsApp\chrome.bat" "

Source: VC_redist.x64.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: VC_redist.x64.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: Boku no Hero Academia 6th Season - Episode 13.exe	String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Reads the Windows registered owner settings

Source: C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Executable creates window controls seldom found in malware

Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp

Window found: window name: TMainForm

Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Automated click: Next >

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Found window with many clickable UI elements (buttons, textforms, scrollbars etc)

Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Window detected: Number of UI elements: 23
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Window detected: Number of UI elements: 23

Creates a software uninstall entry

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF4C347D-954E-4543-88D2-EC17F07F466F}

Submission file is bigger than most known malware samples

Source: Boku no Hero Academia 6th Season - Episode 13.exe

Static file information: File size 25461096 > 1048576

Creates a directory in C:\Program Files

Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp

Directory created: C:\Program Files\Installer

Jump to behavior

PE / OLE file has a valid certificate

Source: Boku no Hero Academia 6th Season - Episode 13.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Boku no Hero Academia 6th Season - Episode 13.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: VC_redist.x64.exe, 00000004.00000002.377084608.000000000005B000.00000002.00000001.01000000.00000008.sdmp, VC_redist.x64.exe, 00000004.00000000.270201080.000000000005B000.00000002.00000001.01000000.00000008.sdmp, VC_redist.x64.exe, 00000005.00000000.271727251.00000000000FB000.00000002.00000001.01000000.0000000A.sdmp, VC_redist.x64.exe, 00000005.00000002.374381326.00000000000FB000.00000002.00000001.01000000.0000000A.sdmp, VC_redist.x64.exe, 00000007.00000000.285438279.0000000000EBB000.00000002.00000001.01000000.0000000D.sdmp, VC_redist.x64.exe, 00000007.00000002.368408492.0000000000EBB000.00000002.00000001.01000000.0000000D.sdmp, VC_redist.x64.exe, 00000010.00000002.324092324.0000000000C6B000.00000002.00000001.01000000.00000010.sdmp, VC_redist.x64.exe, 00000010.00000000.318798304.0000000000C6B000.00000002.00000001.01000000.00000010.sdmp, VC_redist.x64.exe, 00000011.00000002.375653352.0000000000C6B000.00000002.00000001.01000000.00000010.sdmp, VC_redist.x64.exe, 00000011.00000000.322751737.0000000000C6B000.00000002.00000001.01000000.00000010.sdmp, VC_redist.x64.exe, 00000012.00000002.373692696.0000000000C6B000.00000002.00000001.01000000.00000010.sdmp, VC_redist.x64.exe, 00000012.00000000.324242625.0000000000C6B000.00000002.00000001.01000000.00000010.sdmp, VC_redist.x64.exe, 00000013.00000002.366393157.000000000005B000.00000002.00000001.01000000.00000013.sdmp, VC_redist.x64.exe, 00000014.00000002.363516573.000000000005B000.00000002.00000001.01000000.00000013.sdmp, VC_redist.x64.exe, 00000019.00000002.371119144.0000000000C6B000.00000002.00000001.01000000.00000010.sdmp, VC_redist.x64.exe, 00000019.00000000.348409137.0000000000C6B000.00000002.00000001.01000000.00000010.sdmp, VC_redist.x64.exe, 0000001B.00000002.368331825.000000000005B000.00000002.00000001.01000000.00000013.sdmp, VC_redist.x64.exe, 0000001C.00000002.366244549.000000000005B000.00000002.00000001.01000000.00000013.sdmp, VC_redist.x64.exe, 0000001D.00000002.356595702.000000000005B000.00000002.00000001.01000000.00000013.sdmp, VC_redist.x64.exe.5.dr, VC_redist.x64.exe.7.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: msvcp140.dll.15.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\MFCM140U.amd64.pdb source: mfcm140u.dll.15.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdbGCTL source: msvcp140.dll.15.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcamp140.amd64.pdb source: vcamp140.dll.15.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\MFC140DEU.amd64.pdb source: mfc140deu.dll.15.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\MFC140ENU.amd64.pdb source: mfc140enu.dll.15.dr
Source:	Binary string: C:\Users\dsaxc\Desktop\InstallExtension\x64\Release\InstallExtension.pdb source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000003.392947585.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp, InstallExtension.exe, 0000001E.00000000.378319985.00007FF6C2DF7000.00000002.00000001.01000000.00000015.sdmp, InstallExtension.exe, 0000001E.00000002.382242447.00007FF6C2DF7000.00000002.00000001.01000000.00000015.sdmp, InstallExtension.exe, 00000022.00000000.382129606.00007FF6C2DF7000.00000002.00000001.01000000.00000015.sdmp, InstallExtension.exe, 00000022.00000002.387277253.00007FF6C2DF7000.00000002.00000001.01000000.00000015.sdmp, is-NDGJF.tmp.3.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\concrt140.amd64.pdb source: concrt140.dll.15.dr
Source:	Binary string: C:\Users\dsaxc\Desktop\InstallExtension\x64\Release\InstallExtension.pdb%% source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000003.392947585.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp, InstallExtension.exe, 0000001E.00000000.378319985.00007FF6C2DF7000.00000002.00000001.01000000.00000015.sdmp, InstallExtension.exe, 0000001E.00000002.382242447.00007FF6C2DF7000.00000002.00000001.01000000.00000015.sdmp, InstallExtension.exe, 00000022.00000000.382129606.00007FF6C2DF7000.00000002.00000001.01000000.00000015.sdmp, InstallExtension.exe, 00000022.00000002.387277253.00007FF6C2DF7000.00000002.00000001.01000000.00000015.sdmp, is-NDGJF.tmp.3.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140_atomic_wait.amd64.pdbGCTL source: msvcp140_atomic_wait.dll.15.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\WixStdBA.pdb source: wixstdba.dll.5.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140_atomic_wait.amd64.pdb source: msvcp140_atomic_wait.dll.15.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140_2.amd64.pdb source: msvcp140_2.dll.15.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\MFC140JPN.amd64.pdb source: mfc140jpn.dll.15.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcamp140.amd64.pdbGCTL source: vcamp140.dll.15.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140_2.amd64.pdbGCTL source: msvcp140_2.dll.15.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\concrt140.amd64.pdbGCTL source: concrt140.dll.15.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\WixDepCA.pdb source: vcRuntimeAdditional_x64.5.dr, 3cd711.msi.15.dr

Data Obfuscation

Obfuscated command line found

Source: C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe	Process created: C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp "C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp" /SL5="$30408,24635135,780800,C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe"
Source: C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe	Process created: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp "C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp" /SL5="$2040C,24635135,780800,C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe" /SILENT
Source: C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe	Process created: C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp "C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp" /SL5="$30408,24635135,780800,C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe	Process created: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp "C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp" /SL5="$2040C,24635135,780800,C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe" /SILENT	Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_0003E876 push ecx; ret		4_2_0003E889
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000DE876 push ecx; ret		5_2_000DE889

PE file contains sections with non-standard names

Source: Boku no Hero Academia 6th Season - Episode 13.exe	Static PE information: section name: .didata
Source: Boku no Hero Academia 6th Season - Episode 13.tmp.0.dr	Static PE information: section name: .didata
Source: Boku no Hero Academia 6th Season - Episode 13.tmp.2.dr	Static PE information: section name: .didata
Source: is-DLQHQ.tmp.3.dr	Static PE information: section name: .wixburn
Source: VC_redist.x64.exe.4.dr	Static PE information: section name: .wixburn
Source: VC_redist.x64.exe.5.dr	Static PE information: section name: .wixburn
Source: VC_redist.x64.exe.7.dr	Static PE information: section name: .wixburn
Source: mfc140.dll.15.dr	Static PE information: section name: .didat
Source: mfc140u.dll.15.dr	Static PE information: section name: .didat
Source: mfcm140.dll.15.dr	Static PE information: section name: .nep
Source: mfcm140u.dll.15.dr	Static PE information: section name: .nep
Source: vcomp140.dll.15.dr	Static PE information: section name: _RDATA
Source: vcruntime140.dll.15.dr	Static PE information: section name: _RDATA

Binary contains a suspicious time stamp

Source: mfc140.dll.15.dr

Static PE information: 0xFBD5982D [Wed Nov 21 09:09:01 2103 UTC]

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe

File created: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe

Jump to dropped file

Creates processes with suspicious names

Source: C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe	File created: \boku no hero academia 6th season - episode 13.exe
Source: C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	File created: \boku no hero academia 6th season - episode 13.tmp
Source: C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe	File created: \boku no hero academia 6th season - episode 13.exe
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	File created: \boku no hero academia 6th season - episode 13.tmp
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	File created: \boku no hero academia 6th season - episode 13.tmp
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	File created: \boku no hero academia 6th season - episode 13.tmp
Source: C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe	File created: \boku no hero academia 6th season - episode 13.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	File created: \boku no hero academia 6th season - episode 13.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe	File created: \boku no hero academia 6th season - episode 13.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	File created: \boku no hero academia 6th season - episode 13.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	File created: \boku no hero academia 6th season - episode 13.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	File created: \boku no hero academia 6th season - episode 13.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	File created: \boku no hero academia 6th season - episode 13.tmp	Jump to behavior

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: 3cd71e.rbf (copy)	Jump to dropped file
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{7B1AA818-8405-4B0F-ACAF-0273ABC8852E}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc140jpn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc140ita.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc140esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3cd70e.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc140deu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3cd71b.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3cd708.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3cd718.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc140chs.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfcm140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3cd722.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc140enu.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	File created: C:\Users\user\AppData\Local\WindowsApp\is-NDGJF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\concrt140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc140fra.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3cd70b.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\vccorlib140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3cd707.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3cd71c.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\vcruntime140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\msvcp140_atomic_wait.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\vcomp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3cd71d.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3cd70d.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc140cht.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc140rus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfcm140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc140kor.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	File created: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\msvcp140_2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	File created: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	File created: C:\Users\user\AppData\Local\Temp\is-QUMRA.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3cd724.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3cd71f.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe	File created: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3cd70a.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe	File created: C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3cd71a.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3cd70f.rbf (copy)	Jump to dropped file
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	File created: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3cd717.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3cd723.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\vcamp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3cd710.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	File created: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\is-DLQHQ.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3cd720.rbf (copy)	Jump to dropped file
Source: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe	File created: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	Jump to dropped file
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{36CC976F-BDDA-47B0-BB5A-7568B395BA2A}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\msvcp140_1.dll	Jump to dropped file
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3cd721.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3cd709.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 3cd719.rbf (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	File created: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe (copy)	Jump to dropped file
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{9B8C7EDA-2539-42FC-9E66-AE939366FE45}\.ba\wixstdba.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc140kor.dll	Jump to dropped file
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{7B1AA818-8405-4B0F-ACAF-0273ABC8852E}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc140jpn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\msvcp140_2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc140ita.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc140esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc140deu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc140chs.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfcm140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc140enu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\concrt140.dll	Jump to dropped file
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc140fra.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	File created: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\vccorlib140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\vcamp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\vcruntime140_1.dll	Jump to dropped file
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{36CC976F-BDDA-47B0-BB5A-7568B395BA2A}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\msvcp140_atomic_wait.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\vcomp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\msvcp140_1.dll	Jump to dropped file
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.ba\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc140cht.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfc140rus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\mfcm140.dll	Jump to dropped file

Creates license or readme file

Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.ba\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.ba\1028\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.ba\1029\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.ba\1031\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.ba\1036\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.ba\1040\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.ba\1041\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.ba\1042\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.ba\1045\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.ba\1046\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.ba\1049\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.ba\1055\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.ba\2052\license.rtf	Jump to behavior
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	File created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.ba\3082\license.rtf	Jump to behavior
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{9B8C7EDA-2539-42FC-9E66-AE939366FE45}\.ba\license.rtf
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{9B8C7EDA-2539-42FC-9E66-AE939366FE45}\.ba\1028\license.rtf
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{9B8C7EDA-2539-42FC-9E66-AE939366FE45}\.ba\1029\license.rtf
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{9B8C7EDA-2539-42FC-9E66-AE939366FE45}\.ba\1031\license.rtf
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{9B8C7EDA-2539-42FC-9E66-AE939366FE45}\.ba\1036\license.rtf
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{9B8C7EDA-2539-42FC-9E66-AE939366FE45}\.ba\1040\license.rtf
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{9B8C7EDA-2539-42FC-9E66-AE939366FE45}\.ba\1041\license.rtf
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{9B8C7EDA-2539-42FC-9E66-AE939366FE45}\.ba\1042\license.rtf
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{9B8C7EDA-2539-42FC-9E66-AE939366FE45}\.ba\1045\license.rtf
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{9B8C7EDA-2539-42FC-9E66-AE939366FE45}\.ba\1046\license.rtf
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{9B8C7EDA-2539-42FC-9E66-AE939366FE45}\.ba\1049\license.rtf
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{9B8C7EDA-2539-42FC-9E66-AE939366FE45}\.ba\1055\license.rtf
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{9B8C7EDA-2539-42FC-9E66-AE939366FE45}\.ba\2052\license.rtf
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{9B8C7EDA-2539-42FC-9E66-AE939366FE45}\.ba\3082\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{36CC976F-BDDA-47B0-BB5A-7568B395BA2A}\.ba\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{36CC976F-BDDA-47B0-BB5A-7568B395BA2A}\.ba\1028\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{36CC976F-BDDA-47B0-BB5A-7568B395BA2A}\.ba\1029\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{36CC976F-BDDA-47B0-BB5A-7568B395BA2A}\.ba\1031\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{36CC976F-BDDA-47B0-BB5A-7568B395BA2A}\.ba\1036\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{36CC976F-BDDA-47B0-BB5A-7568B395BA2A}\.ba\1040\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{36CC976F-BDDA-47B0-BB5A-7568B395BA2A}\.ba\1041\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{36CC976F-BDDA-47B0-BB5A-7568B395BA2A}\.ba\1042\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{36CC976F-BDDA-47B0-BB5A-7568B395BA2A}\.ba\1045\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{36CC976F-BDDA-47B0-BB5A-7568B395BA2A}\.ba\1046\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{36CC976F-BDDA-47B0-BB5A-7568B395BA2A}\.ba\1049\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{36CC976F-BDDA-47B0-BB5A-7568B395BA2A}\.ba\1055\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{36CC976F-BDDA-47B0-BB5A-7568B395BA2A}\.ba\2052\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{36CC976F-BDDA-47B0-BB5A-7568B395BA2A}\.ba\3082\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{7B1AA818-8405-4B0F-ACAF-0273ABC8852E}\.ba\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{7B1AA818-8405-4B0F-ACAF-0273ABC8852E}\.ba\1028\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{7B1AA818-8405-4B0F-ACAF-0273ABC8852E}\.ba\1029\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{7B1AA818-8405-4B0F-ACAF-0273ABC8852E}\.ba\1031\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{7B1AA818-8405-4B0F-ACAF-0273ABC8852E}\.ba\1036\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{7B1AA818-8405-4B0F-ACAF-0273ABC8852E}\.ba\1040\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{7B1AA818-8405-4B0F-ACAF-0273ABC8852E}\.ba\1041\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{7B1AA818-8405-4B0F-ACAF-0273ABC8852E}\.ba\1042\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{7B1AA818-8405-4B0F-ACAF-0273ABC8852E}\.ba\1045\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{7B1AA818-8405-4B0F-ACAF-0273ABC8852E}\.ba\1046\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{7B1AA818-8405-4B0F-ACAF-0273ABC8852E}\.ba\1049\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{7B1AA818-8405-4B0F-ACAF-0273ABC8852E}\.ba\1055\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{7B1AA818-8405-4B0F-ACAF-0273ABC8852E}\.ba\2052\license.rtf
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	File created: C:\Windows\Temp\{7B1AA818-8405-4B0F-ACAF-0273ABC8852E}\.ba\3082\license.rtf

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Create /XML "C:\Users\user\AppData\Local\WindowsApp\reg.xml" /tn GoogleUpdate

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3cd71e.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3cd70e.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3cd71b.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3cd708.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3cd718.rbf (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3cd722.rbf (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QUMRA.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3cd724.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3cd71f.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3cd70a.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3cd71a.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3cd70f.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3cd70b.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3cd717.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\System32\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3cd723.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3cd707.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3cd710.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3cd71c.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3cd720.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\System32\msvcp140_atomic_wait.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3cd71d.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3cd70d.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3cd721.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3cd709.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 3cd719.rbf (copy)	Jump to dropped file

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_0004FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 0004FE5Dh	4_2_0004FDC2
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_0004FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 0004FE56h	4_2_0004FDC2
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000EFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 000EFE5Dh	5_2_000EFDC2
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000EFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 000EFE56h	5_2_000EFDC2

Is looking for software installed on the system

Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	Registry key enumerated: More than 302 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Registry key enumerated: More than 452 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe	Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Found evasive API chain checking for process token information

Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe

Code function: 4_2_0005962D VirtualQuery,GetSystemInfo,

4_2_0005962D

Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_00013BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	4_2_00013BC3
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_00054315 FindFirstFileW,FindClose,	4_2_00054315
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_0002993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	4_2_0002993E
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_00047A87 FindFirstFileExW,	4_2_00047A87
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000F4315 FindFirstFileW,FindClose,	5_2_000F4315
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000C993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	5_2_000C993E
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000B3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	5_2_000B3BC3
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000E7A87 FindFirstFileExW,	5_2_000E7A87

Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe	File opened: C:\ProgramData\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab	Jump to behavior
Source: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe	File opened: C:\ProgramData\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\NULL	Jump to behavior
Source: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe	File opened: C:\ProgramData\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\NULL	Jump to behavior
Source: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe	File opened: C:\ProgramData\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64	Jump to behavior
Source: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe	File opened: C:\ProgramData\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages	Jump to behavior
Source: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe	File opened: C:\ProgramData\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\NULL	Jump to behavior

Source: VC_redist.x64.exe, 0000001C.00000003.364382485.0000000001568000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: VC_redist.x64.exe, 0000001C.00000003.364382485.0000000001568000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000003.404958372.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}7
Source: Boku no Hero Academia 6th Season - Episode 13.tmp, 00000003.00000002.409480442.0000000000AEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe

Code function: 4_2_0003E625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_0003E625

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe

Code function: 4_2_000138D4 GetProcessHeap,RtlAllocateHeap,

4_2_000138D4

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_00044812 mov eax, dword ptr fs:[00000030h]		4_2_00044812
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000E4812 mov eax, dword ptr fs:[00000030h]		5_2_000E4812

Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_0003E773 SetUnhandledExceptionFilter,	4_2_0003E773
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_0003E188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0003E188
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_0003E625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0003E625
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Code function: 4_2_00043BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00043BB0
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000DE773 SetUnhandledExceptionFilter,	5_2_000DE773
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000DE188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_000DE188
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000DE625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_000DE625
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Code function: 5_2_000E3BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_000E3BB0

HIPS / PFW / Operating System Protection Evasion

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	Process created: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe "c:\programdata\package cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\vc_redist.x64.exe" -burn.clean.room="c:\programdata\package cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\vc_redist.x64.exe" -burn.filehandle.attached=588 -burn.filehandle.self=564 /quiet /burn.log.append "c:\users\user\appdata\local\temp\dd_vcredist_amd64_20230102153454.log" /install
Source: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe	Process created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe "c:\programdata\package cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\vc_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=1008 -burn.embedded burnpipe.{652d427c-3fcf-4f57-9b0a-0ffbca2578fc} {cf7111b3-ff83-47bf-a56d-0e99b89a84c1} 5468
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Process created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe "c:\programdata\package cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\vc_redist.x64.exe" -burn.clean.room="c:\programdata\package cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\vc_redist.x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=564 -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=1008 -burn.embedded burnpipe.{652d427c-3fcf-4f57-9b0a-0ffbca2578fc} {cf7111b3-ff83-47bf-a56d-0e99b89a84c1} 5468
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	Process created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe "c:\programdata\package cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\vc_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=900 -burn.embedded burnpipe.{8ade75be-8c64-4d11-b05a-a6c78aecd63f} {6ee058d7-d097-43e8-87f0-a357d97d5238} 1324
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Process created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe "c:\programdata\package cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\vc_redist.x64.exe" -burn.clean.room="c:\programdata\package cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\vc_redist.x64.exe" -burn.filehandle.attached=576 -burn.filehandle.self=572 -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=900 -burn.embedded burnpipe.{8ade75be-8c64-4d11-b05a-a6c78aecd63f} {6ee058d7-d097-43e8-87f0-a357d97d5238} 1324
Source: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe	Process created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe "c:\programdata\package cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\vc_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=1008 -burn.embedded burnpipe.{652d427c-3fcf-4f57-9b0a-0ffbca2578fc} {cf7111b3-ff83-47bf-a56d-0e99b89a84c1} 5468	Jump to behavior
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	Process created: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe "c:\programdata\package cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\vc_redist.x64.exe" -burn.clean.room="c:\programdata\package cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\vc_redist.x64.exe" -burn.filehandle.attached=588 -burn.filehandle.self=564 /quiet /burn.log.append "c:\users\user\appdata\local\temp\dd_vcredist_amd64_20230102153454.log" /install
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Process created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe "c:\programdata\package cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\vc_redist.x64.exe" -burn.clean.room="c:\programdata\package cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\vc_redist.x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=564 -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=1008 -burn.embedded burnpipe.{652d427c-3fcf-4f57-9b0a-0ffbca2578fc} {cf7111b3-ff83-47bf-a56d-0e99b89a84c1} 5468
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	Process created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe "c:\programdata\package cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\vc_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=900 -burn.embedded burnpipe.{8ade75be-8c64-4d11-b05a-a6c78aecd63f} {6ee058d7-d097-43e8-87f0-a357d97d5238} 1324
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Process created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe "c:\programdata\package cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\vc_redist.x64.exe" -burn.clean.room="c:\programdata\package cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\vc_redist.x64.exe" -burn.filehandle.attached=576 -burn.filehandle.self=572 -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=900 -burn.embedded burnpipe.{8ade75be-8c64-4d11-b05a-a6c78aecd63f} {6ee058d7-d097-43e8-87f0-a357d97d5238} 1324

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\is-4VP2B.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Process created: C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe "C:\Users\user\Desktop\Boku no Hero Academia 6th Season - Episode 13.exe" /SILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4N7PP.tmp\Boku no Hero Academia 6th Season - Episode 13.tmp	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe	Process created: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe "C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe" -burn.filehandle.attached=588 -burn.filehandle.self=628 /install /quiet	Jump to behavior
Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Process created: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe "C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{E9871BE9-995B-4EFF-BA27-126D1FC36700} {ED4F63C9-39F6-4A7D-A76D-4B8F059F42ED} 5372	Jump to behavior
Source: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe	Process created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=1008 -burn.embedded BurnPipe.{652D427C-3FCF-4F57-9B0A-0FFBCA2578FC} {CF7111B3-FF83-47BF-A56D-0E99B89A84C1} 5468	Jump to behavior
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	Process created: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe" -burn.filehandle.attached=588 -burn.filehandle.self=564 /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\dd_vcredist_amd64_20230102153454.log" /install
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Process created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=564 -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=1008 -burn.embedded BurnPipe.{652D427C-3FCF-4F57-9B0A-0FFBCA2578FC} {CF7111B3-FF83-47BF-A56D-0E99B89A84C1} 5468
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Process created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{DC57C196-DCD2-4148-818F-F83AAF0E5C46} {63FE371D-956D-4D2B-988F-00929D1EE668} 2140
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	Process created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=900 -burn.embedded BurnPipe.{8ADE75BE-8C64-4D11-B05A-A6C78AECD63F} {6EE058D7-D097-43E8-87F0-A357D97D5238} 1324
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Process created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe" -burn.filehandle.attached=576 -burn.filehandle.self=572 -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=900 -burn.embedded BurnPipe.{8ADE75BE-8C64-4D11-B05A-A6C78AECD63F} {6EE058D7-D097-43E8-87F0-A357D97D5238} 1324
Source: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\WindowsApp\chrome.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Create /XML "C:\Users\user\AppData\Local\WindowsApp\reg.xml" /tn GoogleUpdate
Source: C:\Users\user\AppData\Local\WindowsApp\InstallExtension.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\WindowsApp\chrome.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /Create /XML "C:\Users\user\AppData\Local\WindowsApp\reg.xml" /tn GoogleUpdate
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG DELETE HKLM\SOFTWARE\Policies\Google\Chrome /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG DELETE HKLM\SOFTWARE\Google\Chrome\Extensions\dbffglanhdhedkjkijpkplhpcdndpchj /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG DELETE HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\dbffglanhdhedkjkijpkplhpcdndpchj /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "1" /t REG_SZ /d dbffglanhdhedkjkijpkplhpcdndpchj /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Google\Chrome\Extensions\dbffglanhdhedkjkijpkplhpcdndpchj" /v "path" /t REG_SZ /d "C:\Users\user\AppData\Local\WindowsApp\apps-helper\apps.crx" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe REG ADD "HKLM\SOFTWARE\Google\Chrome\Extensions\dbffglanhdhedkjkijpkplhpcdndpchj" /v "version" /t REG_SZ /d 1.0 /f
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe

Code function: 4_2_000515CB InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,

4_2_000515CB

Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe

Code function: 4_2_0005393B AllocateAndInitializeSid,CheckTokenMembership,

4_2_0005393B

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Temp\{22FC44A3-9D0C-4078-AD49-1FDAE23A881A}\.cr\VC_redist.x64.exe	Queries volume information: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.ba\logo.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\vcruntime140.dll VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Windows\System32\msvcp140.dll VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Package Cache\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\VC_redist.x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{9B8C7EDA-2539-42FC-9E66-AE939366FE45}\.ba\logo.png VolumeInformation
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Queries volume information: C:\Windows\Temp\{36CC976F-BDDA-47B0-BB5A-7568B395BA2A}\.ba\logo.png VolumeInformation
Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe	Queries volume information: C:\Windows\Temp\{7B1AA818-8405-4B0F-ACAF-0273ABC8852E}\.ba\logo.png VolumeInformation

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe

Code function: 4_2_0003E9A7 cpuid

4_2_0003E9A7

Source: C:\Windows\Temp\{52175C1E-180F-452E-83F2-4EF07DAE0BCF}\.be\VC_redist.x64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe

Code function: 4_2_00024CE8 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,

4_2_00024CE8

Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe

Code function: 4_2_0004FDC2 EnterCriticalSection,GetCurrentProcessId,GetCurrentThreadId,GetLocalTime,LeaveCriticalSection,

4_2_0004FDC2

Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe

Code function: 4_2_00058733 GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,

4_2_00058733

Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe

Code function: 4_2_0001508D GetModuleHandleW,CoInitializeEx,GetVersionExW,GetLastError,CoUninitialize,

4_2_0001508D

Source: C:\Users\user\AppData\Local\Temp\is-8STSI.tmp\VC_redist.x64.exe

Code function: 4_2_000160BA GetUserNameW,GetLastError,

4_2_000160BA

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	1 Scripting	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	OS Credential Dumping	12 System Time Discovery	1 Replication Through Removable Media	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	1 DLL Search Order Hijacking	1 DLL Search Order Hijacking	1 Scripting	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	213 Command and Scripting Interpreter	2 Windows Service	1 Access Token Manipulation	2 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Windows Service	1 Timestomp	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	1 Service Execution	Network Logon Script	12 Process Injection	1 DLL Side-Loading	LSA Secrets	36 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	1 Scheduled Task/Job	1 DLL Search Order Hijacking	Cached Domain Credentials	21 Security Software Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 File Deletion	DCSync	11 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	23 Masquerading	Proc Filesystem	3 System Owner/User Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Modify Registry	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Access Token Manipulation	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	12 Process Injection	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
Boku no Hero Academia 6th Season - Episode 13.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Cryptography

Privilege Escalation

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Boku no Hero Academia 6th Season - Episode 13.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Cryptography

Privilege Escalation

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Boku no Hero Academia 6th Season - Episode 13.exe