Windows Analysis Report
0cjB1Kh8zU.msi

Overview

General Information

Sample name: 0cjB1Kh8zU.msi
renamed because original name is a hash value
Original sample name: 13bdc90827ceec3e3dfa9fb31dee7b21c73331f212b659243e383383abe64502.msi
Analysis ID: 1466510
MD5: b8acb7e4b05d91dd4050cb707069143e
SHA1: b16dc0ab44904f7e4c82192bcec3ba4a2397e2ce
SHA256: 13bdc90827ceec3e3dfa9fb31dee7b21c73331f212b659243e383383abe64502
Tags: latammsirat
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic
AI detected suspicious sample
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Creates files inside the system directory
Deletes files inside the Windows folder
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Msiexec Initiated Connection
Uses a known web browser user agent for HTTP communication

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 82.4% probability
Source: unknown HTTPS traffic detected: 172.67.149.157:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: Binary string: wininet.pdb source: shi8051.tmp.3.dr
Source: Binary string: C:\JobRelease\win\Release\bin\x86\embeddeduiproxy.pdb source: 0cjB1Kh8zU.msi, 3a7d63.msi.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: 0cjB1Kh8zU.msi, 3a7d63.msi.2.dr, MSI8026.tmp.2.dr
Source: Binary string: d3d12.pdbUGP source: shi81E8.tmp.3.dr
Source: Binary string: d3d12.pdb source: shi81E8.tmp.3.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb\ source: 0cjB1Kh8zU.msi, 3a7d63.msi.2.dr, MSI8026.tmp.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdbu source: 0cjB1Kh8zU.msi, MSI8C4E.tmp.2.dr, 3a7d63.msi.2.dr, MSI7ECA.tmp.2.dr, MSI8D2A.tmp.2.dr, MSIA2F6.tmp.2.dr, MSI8BFE.tmp.2.dr
Source: Binary string: wininet.pdbUGP source: shi8051.tmp.3.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdb source: 0cjB1Kh8zU.msi, MSI8C4E.tmp.2.dr, 3a7d63.msi.2.dr, MSI7ECA.tmp.2.dr, MSI8D2A.tmp.2.dr, MSIA2F6.tmp.2.dr, MSI8BFE.tmp.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: 0cjB1Kh8zU.msi, MSI7FB7.tmp.2.dr, MSI8CFA.tmp.2.dr, 3a7d63.msi.2.dr, MSI8006.tmp.2.dr, MSI7F87.tmp.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbg source: 0cjB1Kh8zU.msi, MSI7FB7.tmp.2.dr, MSI8CFA.tmp.2.dr, 3a7d63.msi.2.dr, MSI8006.tmp.2.dr, MSI7F87.tmp.2.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2849814 ETPRO MALWARE TakeMyFile User-Agent 192.168.2.6:49712 -> 54.165.254.88:80
Source: Traffic Snort IDS: 2849813 ETPRO MALWARE TakeMyFile Installer Checkin 192.168.2.6:49712 -> 54.165.254.88:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-AESUS AMAZON-AESUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /caju1.png HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: elcxbm.processosdigital.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /caju1.png HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: elcxbm.processosdigital.com
Source: global traffic DNS traffic detected: DNS query: elcxbm.processosdigital.com
Source: global traffic DNS traffic detected: DNS query: collect.installeranalytics.com
Source: unknown HTTP traffic detected: POST / HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)Host: collect.installeranalytics.comContent-Length: 167Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 02 Jul 2024 22:52:03 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Tue, 02 Jul 2024 22:52:18 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=f6z5%2FE3OcaA5%2FKtAU9zy8RpPZmOLoqY9ePQD%2Fb2HR5gI2pxtMn6lDCyOh7MhnoL2J1o0GGji3GMHbWj9f2NnHJMEmeKEfOztlO0WN8RQGIAZufBE3LcMwkns5qxxhEaCfToXbCKZ4%2B9aZmeh8IE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 89d2343a0d574346-EWRalt-svc: h3=":443"; ma=86400
Source: shi8051.tmp.3.dr String found in binary or memory: http://.css
Source: shi8051.tmp.3.dr String found in binary or memory: http://.jpg
Source: 0cjB1Kh8zU.msi, MSI7FB7.tmp.2.dr, MSI8CFA.tmp.2.dr, MSI8C4E.tmp.2.dr, 3a7d63.msi.2.dr, MSI8006.tmp.2.dr, MSI7F87.tmp.2.dr, MSI7ECA.tmp.2.dr, MSI8026.tmp.2.dr, MSI8D2A.tmp.2.dr, MSIA2F6.tmp.2.dr, MSI8BFE.tmp.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 0cjB1Kh8zU.msi, MSI7FB7.tmp.2.dr, MSI8CFA.tmp.2.dr, MSI8C4E.tmp.2.dr, 3a7d63.msi.2.dr, MSI8006.tmp.2.dr, MSI7F87.tmp.2.dr, MSI7ECA.tmp.2.dr, MSI8026.tmp.2.dr, MSI8D2A.tmp.2.dr, MSIA2F6.tmp.2.dr, MSI8BFE.tmp.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 0cjB1Kh8zU.msi, MSI8C4E.tmp.2.dr, 3a7d63.msi.2.dr, MSI7ECA.tmp.2.dr, MSI8D2A.tmp.2.dr, MSIA2F6.tmp.2.dr, MSI8BFE.tmp.2.dr String found in binary or memory: http://collect.installeranalytics.com
Source: 0cjB1Kh8zU.msi, MSI7FB7.tmp.2.dr, MSI8CFA.tmp.2.dr, MSI8C4E.tmp.2.dr, 3a7d63.msi.2.dr, MSI8006.tmp.2.dr, MSI7F87.tmp.2.dr, MSI7ECA.tmp.2.dr, MSI8026.tmp.2.dr, MSI8D2A.tmp.2.dr, MSIA2F6.tmp.2.dr, MSI8BFE.tmp.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 0cjB1Kh8zU.msi, MSI7FB7.tmp.2.dr, MSI8CFA.tmp.2.dr, MSI8C4E.tmp.2.dr, 3a7d63.msi.2.dr, MSI8006.tmp.2.dr, MSI7F87.tmp.2.dr, MSI7ECA.tmp.2.dr, MSI8026.tmp.2.dr, MSI8D2A.tmp.2.dr, MSIA2F6.tmp.2.dr, MSI8BFE.tmp.2.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 0cjB1Kh8zU.msi, MSI7FB7.tmp.2.dr, MSI8CFA.tmp.2.dr, MSI8C4E.tmp.2.dr, 3a7d63.msi.2.dr, MSI8006.tmp.2.dr, MSI7F87.tmp.2.dr, MSI7ECA.tmp.2.dr, MSI8026.tmp.2.dr, MSI8D2A.tmp.2.dr, MSIA2F6.tmp.2.dr, MSI8BFE.tmp.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 0cjB1Kh8zU.msi, MSI7FB7.tmp.2.dr, MSI8CFA.tmp.2.dr, MSI8C4E.tmp.2.dr, 3a7d63.msi.2.dr, MSI8006.tmp.2.dr, MSI7F87.tmp.2.dr, MSI7ECA.tmp.2.dr, MSI8026.tmp.2.dr, MSI8D2A.tmp.2.dr, MSIA2F6.tmp.2.dr, MSI8BFE.tmp.2.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: shi8051.tmp.3.dr String found in binary or memory: http://html4/loose.dtd
Source: 0cjB1Kh8zU.msi, MSI7FB7.tmp.2.dr, MSI8CFA.tmp.2.dr, MSI8C4E.tmp.2.dr, 3a7d63.msi.2.dr, MSI8006.tmp.2.dr, MSI7F87.tmp.2.dr, MSI7ECA.tmp.2.dr, MSI8026.tmp.2.dr, MSI8D2A.tmp.2.dr, MSIA2F6.tmp.2.dr, MSI8BFE.tmp.2.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: 0cjB1Kh8zU.msi, MSI7FB7.tmp.2.dr, MSI8CFA.tmp.2.dr, MSI8C4E.tmp.2.dr, 3a7d63.msi.2.dr, MSI8006.tmp.2.dr, MSI7F87.tmp.2.dr, MSI7ECA.tmp.2.dr, MSI8026.tmp.2.dr, MSI8D2A.tmp.2.dr, MSIA2F6.tmp.2.dr, MSI8BFE.tmp.2.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: 0cjB1Kh8zU.msi, MSI7FB7.tmp.2.dr, MSI8CFA.tmp.2.dr, MSI8C4E.tmp.2.dr, 3a7d63.msi.2.dr, MSI8006.tmp.2.dr, MSI7F87.tmp.2.dr, MSI7ECA.tmp.2.dr, MSI8026.tmp.2.dr, MSI8D2A.tmp.2.dr, MSIA2F6.tmp.2.dr, MSI8BFE.tmp.2.dr String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: 0cjB1Kh8zU.msi, MSI7FB7.tmp.2.dr, MSI8CFA.tmp.2.dr, MSI8C4E.tmp.2.dr, 3a7d63.msi.2.dr, MSI8006.tmp.2.dr, MSI7F87.tmp.2.dr, MSI7ECA.tmp.2.dr, MSI8026.tmp.2.dr, MSI8D2A.tmp.2.dr, MSIA2F6.tmp.2.dr, MSI8BFE.tmp.2.dr String found in binary or memory: http://t2.symcb.com0
Source: 0cjB1Kh8zU.msi, MSI7FB7.tmp.2.dr, MSI8CFA.tmp.2.dr, MSI8C4E.tmp.2.dr, 3a7d63.msi.2.dr, MSI8006.tmp.2.dr, MSI7F87.tmp.2.dr, MSI7ECA.tmp.2.dr, MSI8026.tmp.2.dr, MSI8D2A.tmp.2.dr, MSIA2F6.tmp.2.dr, MSI8BFE.tmp.2.dr String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: 0cjB1Kh8zU.msi, MSI7FB7.tmp.2.dr, MSI8CFA.tmp.2.dr, MSI8C4E.tmp.2.dr, 3a7d63.msi.2.dr, MSI8006.tmp.2.dr, MSI7F87.tmp.2.dr, MSI7ECA.tmp.2.dr, MSI8026.tmp.2.dr, MSI8D2A.tmp.2.dr, MSIA2F6.tmp.2.dr, MSI8BFE.tmp.2.dr String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: 0cjB1Kh8zU.msi, MSI7FB7.tmp.2.dr, MSI8CFA.tmp.2.dr, MSI8C4E.tmp.2.dr, 3a7d63.msi.2.dr, MSI8006.tmp.2.dr, MSI7F87.tmp.2.dr, MSI7ECA.tmp.2.dr, MSI8026.tmp.2.dr, MSI8D2A.tmp.2.dr, MSIA2F6.tmp.2.dr, MSI8BFE.tmp.2.dr String found in binary or memory: http://tl.symcd.com0&
Source: 0cjB1Kh8zU.msi, MSI7FB7.tmp.2.dr, MSI8CFA.tmp.2.dr, MSI8C4E.tmp.2.dr, 3a7d63.msi.2.dr, MSI8006.tmp.2.dr, MSI7F87.tmp.2.dr, MSI7ECA.tmp.2.dr, MSI8026.tmp.2.dr, MSI8D2A.tmp.2.dr, MSIA2F6.tmp.2.dr, MSI8BFE.tmp.2.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: msiexec.exe String found in binary or memory: https://ELcXBm.processosdigital.com/caju1.png
Source: 0cjB1Kh8zU.msi, MSI8C4E.tmp.2.dr, 3a7d63.msi.2.dr, MSI7ECA.tmp.2.dr, MSI8D2A.tmp.2.dr, MSIA2F6.tmp.2.dr, MSI8BFE.tmp.2.dr String found in binary or memory: https://collect.installeranalytics.com
Source: 0cjB1Kh8zU.msi, MSI8C4E.tmp.2.dr, 3a7d63.msi.2.dr, MSI7ECA.tmp.2.dr, MSI8D2A.tmp.2.dr, MSIA2F6.tmp.2.dr, MSI8BFE.tmp.2.dr String found in binary or memory: https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic
Source: 0cjB1Kh8zU.msi, MSI7FB7.tmp.2.dr, MSI8CFA.tmp.2.dr, MSI8C4E.tmp.2.dr, 3a7d63.msi.2.dr, MSI8006.tmp.2.dr, MSI7F87.tmp.2.dr, MSI7ECA.tmp.2.dr, MSI8026.tmp.2.dr, MSI8D2A.tmp.2.dr, MSIA2F6.tmp.2.dr, MSI8BFE.tmp.2.dr String found in binary or memory: https://www.advancedinstaller.com
Source: IOAsNN.png.3.dr String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: 0cjB1Kh8zU.msi, MSI7FB7.tmp.2.dr, MSI8CFA.tmp.2.dr, MSI8C4E.tmp.2.dr, 3a7d63.msi.2.dr, MSI8006.tmp.2.dr, MSI7F87.tmp.2.dr, MSI7ECA.tmp.2.dr, MSI8026.tmp.2.dr, MSI8D2A.tmp.2.dr, MSIA2F6.tmp.2.dr, MSI8BFE.tmp.2.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: 0cjB1Kh8zU.msi, MSI7FB7.tmp.2.dr, MSI8CFA.tmp.2.dr, MSI8C4E.tmp.2.dr, 3a7d63.msi.2.dr, MSI8006.tmp.2.dr, MSI7F87.tmp.2.dr, MSI7ECA.tmp.2.dr, MSI8026.tmp.2.dr, MSI8D2A.tmp.2.dr, MSIA2F6.tmp.2.dr, MSI8BFE.tmp.2.dr String found in binary or memory: https://www.thawte.com/cps0/
Source: 0cjB1Kh8zU.msi, MSI7FB7.tmp.2.dr, MSI8CFA.tmp.2.dr, MSI8C4E.tmp.2.dr, 3a7d63.msi.2.dr, MSI8006.tmp.2.dr, MSI7F87.tmp.2.dr, MSI7ECA.tmp.2.dr, MSI8026.tmp.2.dr, MSI8D2A.tmp.2.dr, MSIA2F6.tmp.2.dr, MSI8BFE.tmp.2.dr String found in binary or memory: https://www.thawte.com/repository0W
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown HTTPS traffic detected: 172.67.149.157:443 -> 192.168.2.6:49711 version: TLS 1.2
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\3a7d63.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7ECA.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7F87.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7FB7.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8006.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8026.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8BFE.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8C4E.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8CFA.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8D2A.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{5FABA36A-ECA6-4633-964F-369C3AFA2A7A} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8D99.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIA2F6.tmp Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI7ECA.tmp Jump to behavior
Sample file is different than original file name gathered from version info
Source: 0cjB1Kh8zU.msi Binary or memory string: OriginalFilenameAICustAct.dllF vs 0cjB1Kh8zU.msi
Source: 0cjB1Kh8zU.msi Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs 0cjB1Kh8zU.msi
Source: 0cjB1Kh8zU.msi Binary or memory string: OriginalFilenameInstallerAnalytics.dllF vs 0cjB1Kh8zU.msi
Source: 0cjB1Kh8zU.msi Binary or memory string: OriginalFilenameembeddeduiproxy.dllF vs 0cjB1Kh8zU.msi
Source: shi8051.tmp.3.dr Binary string: \Device\NameResTrk\RecordNrtCloneOpenPacket
Source: classification engine Classification label: mal52.winMSI@4/29@2/2
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Users\user\AppData\Local\AdvinstAnalytics Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\TEMP\~DF73CECE7117D5E336.TMP Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File read: C:\Program Files (x86)\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload Jump to behavior
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\0cjB1Kh8zU.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 11E696952DD6B03AAA33864004BDDF5F
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 11E696952DD6B03AAA33864004BDDF5F Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netprofm.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winhttpcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msdart.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: zipfldr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File written: C:\Users\user\AppData\Local\AdvinstAnalytics\6683aaa585f1fb8548fe6d24\8.7.8.9\tracking.ini Jump to behavior
Source: 0cjB1Kh8zU.msi Static file information: File size 4970880 > 1048576
Source: Binary string: wininet.pdb source: shi8051.tmp.3.dr
Source: Binary string: C:\JobRelease\win\Release\bin\x86\embeddeduiproxy.pdb source: 0cjB1Kh8zU.msi, 3a7d63.msi.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: 0cjB1Kh8zU.msi, 3a7d63.msi.2.dr, MSI8026.tmp.2.dr
Source: Binary string: d3d12.pdbUGP source: shi81E8.tmp.3.dr
Source: Binary string: d3d12.pdb source: shi81E8.tmp.3.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb\ source: 0cjB1Kh8zU.msi, 3a7d63.msi.2.dr, MSI8026.tmp.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdbu source: 0cjB1Kh8zU.msi, MSI8C4E.tmp.2.dr, 3a7d63.msi.2.dr, MSI7ECA.tmp.2.dr, MSI8D2A.tmp.2.dr, MSIA2F6.tmp.2.dr, MSI8BFE.tmp.2.dr
Source: Binary string: wininet.pdbUGP source: shi8051.tmp.3.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdb source: 0cjB1Kh8zU.msi, MSI8C4E.tmp.2.dr, 3a7d63.msi.2.dr, MSI7ECA.tmp.2.dr, MSI8D2A.tmp.2.dr, MSIA2F6.tmp.2.dr, MSI8BFE.tmp.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: 0cjB1Kh8zU.msi, MSI7FB7.tmp.2.dr, MSI8CFA.tmp.2.dr, 3a7d63.msi.2.dr, MSI8006.tmp.2.dr, MSI7F87.tmp.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbg source: 0cjB1Kh8zU.msi, MSI7FB7.tmp.2.dr, MSI8CFA.tmp.2.dr, 3a7d63.msi.2.dr, MSI8006.tmp.2.dr, MSI7F87.tmp.2.dr
Binary contains a suspicious time stamp
Source: shi81E8.tmp.3.dr Static PE information: 0x96D7AA59 [Sat Mar 12 16:44:09 2050 UTC]
PE file contains sections with non-standard names
Source: shi8051.tmp.3.dr Static PE information: section name: .wpp_sf
Source: shi8051.tmp.3.dr Static PE information: section name: .didat
Drops PE files
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\shi8051.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\shi81E8.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8C4E.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8BFE.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7ECA.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7FB7.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7F87.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8D2A.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8006.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIA2F6.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8026.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8CFA.tmp Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8C4E.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8BFE.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7ECA.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7FB7.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7F87.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8D2A.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8006.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIA2F6.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8026.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8CFA.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi8051.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi81E8.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI8C4E.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI8BFE.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI7ECA.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI7FB7.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI7F87.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI8D2A.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI8006.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIA2F6.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI8026.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI8CFA.tmp Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6508 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5492 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\msiexec.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\msiexec.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: MSI8026.tmp.2.dr Binary or memory string: 01234567890.0.0.0.%dVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IROOT\CIMV2SELECT * FROM Win32_ComputerSystemSELECT * FROM Win32_BIOSManufacturerModelVersionGetting system informationManufacturer [Model [BIOS [IsWow64Processkernel32Software\Microsoft\Windows NT\CurrentVersionSYSTEM\CurrentControlSet\Control\ProductOptionsCurrentMajorVersionNumberCurrentMinorVersionNumberCurrentVersionCurrentBuildNumberReleaseIdCSDVersionProductTypeProductSuiteWinNTServerNTSmall BusinessEnterpriseBackOfficeCommunicationServerTerminal ServerSmall Business(Restricted)EmbeddedNTDataCenterPersonalBladeEmbedded(Restricted)Security ApplianceStorage ServerCompute Server Failed to create IWbemLocator object. Error code: \\Could not connect to WMI provider. Error code: Failed to initialize security. Error code: Could not set proxy blanket. Error code: WQLWMI Query failed: []. Error code:
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\Users\user\IOAsNN\VNgnVm\IOAsNN.zip VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\SysWOW64\msiexec.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1466510 Sample: 0cjB1Kh8zU.msi Startdate: 03/07/2024 Architecture: WINDOWS Score: 52 28 collect.installeranalytics.com 2->28 30 fp2e7a.wpc.phicdn.net 2->30 32 3 other IPs or domains 2->32 38 Snort IDS alert for network traffic 2->38 40 AI detected suspicious sample 2->40 7 msiexec.exe 3 23 2->7         started        10 msiexec.exe 2 2->10         started        signatures3 process4 file5 16 C:\Windows\Installer\MSIA2F6.tmp, PE32 7->16 dropped 18 C:\Windows\Installer\MSI8D2A.tmp, PE32 7->18 dropped 20 C:\Windows\Installer\MSI8CFA.tmp, PE32 7->20 dropped 22 7 other files (none is malicious) 7->22 dropped 12 msiexec.exe 3 68 7->12         started        process6 dnsIp7 34 collect.installeranalytics.com 54.165.254.88, 49712, 80 AMAZON-AESUS United States 12->34 36 elcxbm.processosdigital.com 172.67.149.157, 443, 49711 CLOUDFLARENETUS United States 12->36 24 C:\Users\user\AppData\Local\...\shi81E8.tmp, PE32 12->24 dropped 26 C:\Users\user\AppData\Local\...\shi8051.tmp, PE32 12->26 dropped file8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.149.157
 elcxbm.processosdigital.com United States
13335 CLOUDFLARENETUS false
54.165.254.88
 collect.installeranalytics.com United States
14618 AMAZON-AESUS true

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
collect.installeranalytics.com 54.165.254.88 true
elcxbm.processosdigital.com 172.67.149.157 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://collect.installeranalytics.com/ true
  • Avira URL Cloud: safe
 unknown
https://elcxbm.processosdigital.com/caju1.png false
    		unknown