Windows Analysis Report
oz9Blof9tN.msi

Overview

General Information

Sample name: oz9Blof9tN.msi
renamed because original name is a hash value
Original sample name: 65bd52c6c75354696a891efbf47be141837d095953366f5dec823a0257126840.msi
Analysis ID: 1483409
MD5: 54e6bcb33159c34e4e35fc27073786fb
SHA1: 74b6384f931cfd1c37e86bf62699d657b38faad2
SHA256: 65bd52c6c75354696a891efbf47be141837d095953366f5dec823a0257126840
Tags: 156-255-2-100msi
Infos:

Detection

CobaltStrike
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Drops executables to the windows directory (C:\Windows) and starts them
Potentially malicious time measurement code found
Checks for available system drives (often done to infect USB drives)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Cobalt Strike, CobaltStrike Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
 https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

AV Detection
barindex
Found malware configuration
Source: 00000005.00000002.3238249247.000000C000100000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 18896, "SleepTime": 45000, "MaxGetSize": 1403644, "Jitter": 37, "C2Server": "156.255.2.100,/jquery-3.3.1.min.js", "HttpPostUri": "/jquery-3.3.2.min.js", "Malleable_C2_Instructions": ["Remove 1522 bytes from the end", "Remove 84 bytes from the beginning", "Remove 3931 bytes from the beginning", "Base64 URL-safe decode", "XOR mask w/ random key"], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe", "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "True", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "False", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 17500, "ProcInject_PrependAppend_x86": ["kJA=", "Empty"], "ProcInject_PrependAppend_x64": ["kJA=", "Empty"], "ProcInject_Execute": ["ntdll:RtlUserThreadStart", "CreateThread", "NtQueueApcThread-s", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "NtMapViewOfSection", "bUsesCookies": "True", "HostHeader": ""}
Multi AV Scanner detection for domain / URL
Source: https://156.255.2.100:18896/ Virustotal: Detection: 5% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Virustotal: Detection: 60% Perma Link
Multi AV Scanner detection for submitted file
Source: oz9Blof9tN.msi ReversingLabs: Detection: 36%
Source: oz9Blof9tN.msi Virustotal: Detection: 46% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability

Bitcoin Miner
barindex
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_010020A0 LoadLibraryExW, 5_2_010020A0
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbD source: MSI460B.tmp, 00000004.00000002.2007232796.000000000054E000.00000002.00000001.01000000.00000003.sdmp, MSI460B.tmp, 00000004.00000000.1999454439.000000000054E000.00000002.00000001.01000000.00000003.sdmp, oz9Blof9tN.msi, MSI458D.tmp.1.dr, MSI460B.tmp.1.dr, 4b42f7.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: oz9Blof9tN.msi, MSI4440.tmp.1.dr, 4b42f7.msi.1.dr, MSI452E.tmp.1.dr, MSI43E2.tmp.1.dr, MSI44DF.tmp.1.dr, MSI4480.tmp.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: MSI460B.tmp, 00000004.00000002.2007232796.000000000054E000.00000002.00000001.01000000.00000003.sdmp, MSI460B.tmp, 00000004.00000000.1999454439.000000000054E000.00000002.00000001.01000000.00000003.sdmp, oz9Blof9tN.msi, MSI458D.tmp.1.dr, MSI460B.tmp.1.dr, 4b42f7.msi.1.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: C:\Windows\Installer\MSI460B.tmp Code function: 4_2_00540A10 FindFirstFileExW, 4_2_00540A10
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 4x nop then cmp rdx, 40h 5_2_00FEF360
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 4x nop then cmp rdx, rbx 5_2_00FDB320
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 4x nop then shr r10, 0Dh 5_2_00FFA580
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 4x nop then lock or byte ptr [rdx], dil 5_2_00FEFAA0
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 4x nop then shr r10, 0Dh 5_2_00FFBA00

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 156.255.2.100
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49704 -> 156.255.2.100:18896
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ANCHGLOBAL-AS-APAnchnetAsiaLimitedHK ANCHGLOBAL-AS-APAnchnetAsiaLimitedHK
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: unknown TCP traffic detected without corresponding DNS query: 156.255.2.100
Source: ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000002.3238431748.0000025F75F24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://code.jquery.com/
Source: ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.2308728075.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000002.3238431748.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.3017520327.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://code.jquery.com/9S
Source: ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.2026764473.0000025F76009000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/
Source: ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.2308728075.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000002.3238431748.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.3017520327.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.2308728075.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000002.3238431748.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.3017520327.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.5.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.2308875318.0000025F75FA6000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.3017374596.0000025F75FA7000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.3017544301.0000025F75FAC000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.2191865341.0000025F75FAF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabG
Source: ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.2308875318.0000025F75FA6000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000002.3238431748.0000025F75FAF000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.3017374596.0000025F75FA7000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.3017544301.0000025F75FAC000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.2191865341.0000025F75FAF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c6786262e0
Source: ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.2308728075.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000002.3238431748.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.3017520327.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100/
Source: ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000002.3238431748.0000025F75FDD000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.2309083007.0000025F75FDB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/
Source: ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000002.3238431748.0000025F75FDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/hy
Source: ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.3017520327.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.js
Source: ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.2308728075.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000002.3238431748.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.3017520327.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.js-2425835fc7d3
Source: ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000002.3238431748.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.3017520327.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.js1.3.6.1.4.1.311.10.3.91.3.6.1.4.1.311.10.3.19
Source: ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000002.3238431748.0000025F75FDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.js53011b87bd06u
Source: ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000002.3238431748.0000025F75F55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsS
Source: ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.2309083007.0000025F75FDB000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.3017544301.0000025F75FDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsc
Source: ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.2308728075.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000002.3238431748.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.3017520327.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsdclHbog
Source: ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000002.3238431748.0000025F75FDD000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.3017544301.0000025F75FDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsg
Source: ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000002.3238431748.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.3017520327.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsjb
Source: ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000002.3238431748.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.3017520327.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsnc
Source: ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.3017544301.0000025F75FDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsrovider
Source: ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.2191865341.0000025F75FDA000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.3017544301.0000025F75FDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsrovider7
Source: ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000002.3238431748.0000025F75FDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsroviderD
Source: ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.3017520327.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsryptnetUrlCache
Source: ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.2308728075.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000002.3238431748.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.3017520327.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jst
Source: ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.2308728075.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000002.3238431748.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.3017520327.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jststl.cab?c6786262e02c8735
Source: ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000002.3238431748.0000025F75FDD000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.3017544301.0000025F75FDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsvider
Source: ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000002.3238431748.0000025F75FDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/jquery-3.3.1.min.jsw
Source: ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000002.3238431748.0000025F75FDD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://156.255.2.100:18896/ll
Installs a raw input device (often for capturing keystrokes)
Source: ImmEnumInputContext9ed8e2f7ae.exe Binary or memory string: runtime.main not on m0set_crosscall2 missingbad g->status in readywirep: invalid p stateassembly checks failedstack not a power of 2minpc or maxpc invalidcompileCallback: type non-Go function at pc=RtlLookupFunctionEntryRegisterRawInputDevicesCreateAccelerator

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000005.00000002.3239674052.0000025F7D900000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000005.00000002.3239172694.0000025F7CBA0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000005.00000002.3238249247.000000C000100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000005.00000003.2002510111.0000025F7CB50000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Rule for beacon reflective loader Author: unknown
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\4b42f7.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI43E2.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI4440.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI4480.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI44DF.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI452E.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{0915C26A-4838-446F-95D6-9061AE0B204B} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI458D.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI460B.tmp Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI43E2.tmp Jump to behavior
Detected potential crypto function
Source: C:\Windows\Installer\MSI460B.tmp Code function: 4_2_0053F2D3 4_2_0053F2D3
Source: C:\Windows\Installer\MSI460B.tmp Code function: 4_2_0052B340 4_2_0052B340
Source: C:\Windows\Installer\MSI460B.tmp Code function: 4_2_00543340 4_2_00543340
Source: C:\Windows\Installer\MSI460B.tmp Code function: 4_2_00531330 4_2_00531330
Source: C:\Windows\Installer\MSI460B.tmp Code function: 4_2_005354D0 4_2_005354D0
Source: C:\Windows\Installer\MSI460B.tmp Code function: 4_2_0050D510 4_2_0050D510
Source: C:\Windows\Installer\MSI460B.tmp Code function: 4_2_00533521 4_2_00533521
Source: C:\Windows\Installer\MSI460B.tmp Code function: 4_2_005316BE 4_2_005316BE
Source: C:\Windows\Installer\MSI460B.tmp Code function: 4_2_00544A9F 4_2_00544A9F
Source: C:\Windows\Installer\MSI460B.tmp Code function: 4_2_0053CBA9 4_2_0053CBA9
Source: C:\Windows\Installer\MSI460B.tmp Code function: 4_2_00537CA8 4_2_00537CA8
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_00FDC240 5_2_00FDC240
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_0100D920 5_2_0100D920
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_00FD1AA0 5_2_00FD1AA0
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_00FF7A60 5_2_00FF7A60
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_00FF6C60 5_2_00FF6C60
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_00FDCDE0 5_2_00FDCDE0
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_01014CA0 5_2_01014CA0
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_00FE4E20 5_2_00FE4E20
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_01032109 5_2_01032109
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_00FED0E0 5_2_00FED0E0
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_00FD3040 5_2_00FD3040
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_0101E040 5_2_0101E040
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_010070C0 5_2_010070C0
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_0100E3A0 5_2_0100E3A0
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_00FE93C0 5_2_00FE93C0
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_0101F260 5_2_0101F260
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_010042C0 5_2_010042C0
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_0100F560 5_2_0100F560
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_00FFA580 5_2_00FFA580
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_00FF4560 5_2_00FF4560
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_00FD9620 5_2_00FD9620
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_00FF1600 5_2_00FF1600
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_0100B600 5_2_0100B600
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_01007900 5_2_01007900
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_00FE98E0 5_2_00FE98E0
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_00FDD9A0 5_2_00FDD9A0
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_00FF59A0 5_2_00FF59A0
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_00FFE980 5_2_00FFE980
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_00FFAA40 5_2_00FFAA40
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_00FE3A20 5_2_00FE3A20
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_00FFBA00 5_2_00FFBA00
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_0101AD20 5_2_0101AD20
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_00FFDC00 5_2_00FFDC00
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_01029C00 5_2_01029C00
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_00FFCDE0 5_2_00FFCDE0
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_0100ACA0 5_2_0100ACA0
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_00FEFD20 5_2_00FEFD20
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_00FE8D00 5_2_00FE8D00
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_00FE7F60 5_2_00FE7F60
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_0000025F7CBB6B38 5_2_0000025F7CBB6B38
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_0000025F7CBC1528 5_2_0000025F7CBC1528
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_0000025F7CBC0E64 5_2_0000025F7CBC0E64
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_0000025F7CBC1F9C 5_2_0000025F7CBC1F9C
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_0000025F7CBBF1A8 5_2_0000025F7CBBF1A8
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_0000025F7D900000 5_2_0000025F7D900000
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Windows\Installer\MSI43E2.tmp CA763693CC25D316F14A9EBAD80EBF00590329550C45ADB7E5205486533C2504
Source: Joe Sandbox View Dropped File: C:\Windows\Installer\MSI4440.tmp CA763693CC25D316F14A9EBAD80EBF00590329550C45ADB7E5205486533C2504
Found potential string decryption / allocating functions
Source: C:\Windows\Installer\MSI460B.tmp Code function: String function: 00529E26 appears 71 times
Source: C:\Windows\Installer\MSI460B.tmp Code function: String function: 00529DF3 appears 100 times
Source: C:\Windows\Installer\MSI460B.tmp Code function: String function: 0052A1C0 appears 39 times
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: String function: 01006320 appears 512 times
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: String function: 01007E20 appears 89 times
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: String function: 01008640 appears 693 times
Sample file is different than original file name gathered from version info
Source: oz9Blof9tN.msi Binary or memory string: OriginalFilenameviewer.exeF vs oz9Blof9tN.msi
Source: oz9Blof9tN.msi Binary or memory string: OriginalFilenameAICustAct.dllF vs oz9Blof9tN.msi
Yara signature match
Source: 00000005.00000002.3239674052.0000025F7D900000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000005.00000002.3239172694.0000025F7CBA0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000005.00000002.3238249247.000000C000100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000005.00000003.2002510111.0000025F7CB50000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: classification engine Classification label: mal100.troj.evad.mine.winMSI@8/27@0/1
Source: C:\Windows\Installer\MSI460B.tmp Code function: 4_2_005062E0 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle, 4_2_005062E0
Source: C:\Windows\Installer\MSI460B.tmp Code function: 4_2_00507020 CoInitialize,CoCreateInstance,VariantInit,IUnknown_QueryService,IUnknown_QueryInterface_Proxy,IUnknown_QueryInterface_Proxy,CoAllowSetForegroundWindow,SysAllocString,SysAllocString,SysAllocString,VariantInit,LocalFree,OpenProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_com_issue_error, 4_2_00507020
Source: C:\Windows\Installer\MSI460B.tmp Code function: 4_2_00501D90 LoadResource,LockResource,SizeofResource, 4_2_00501D90
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Microsoft\CML45C6.tmp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5756:120:WilError_03
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\TEMP\~DFF5CEB662862EABEF.TMP Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe File opened: C:\Windows\system32\39f92c109a8dd9329424c47503eedf00f58ba06624d67346b63dda6edce31e92AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: C:\Windows\Installer\MSI460B.tmp Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: oz9Blof9tN.msi ReversingLabs: Detection: 36%
Source: oz9Blof9tN.msi Virustotal: Detection: 46%
Source: ImmEnumInputContext9ed8e2f7ae.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: ImmEnumInputContext9ed8e2f7ae.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: ImmEnumInputContext9ed8e2f7ae.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: ImmEnumInputContext9ed8e2f7ae.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: ImmEnumInputContext9ed8e2f7ae.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: ImmEnumInputContext9ed8e2f7ae.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: ImmEnumInputContext9ed8e2f7ae.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: ImmEnumInputContext9ed8e2f7ae.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: ImmEnumInputContext9ed8e2f7ae.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: ImmEnumInputContext9ed8e2f7ae.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: ImmEnumInputContext9ed8e2f7ae.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: ImmEnumInputContext9ed8e2f7ae.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: ImmEnumInputContext9ed8e2f7ae.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: ImmEnumInputContext9ed8e2f7ae.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: ImmEnumInputContext9ed8e2f7ae.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: ImmEnumInputContext9ed8e2f7ae.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: ImmEnumInputContext9ed8e2f7ae.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: ImmEnumInputContext9ed8e2f7ae.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: ImmEnumInputContext9ed8e2f7ae.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: ImmEnumInputContext9ed8e2f7ae.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: ImmEnumInputContext9ed8e2f7ae.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: ImmEnumInputContext9ed8e2f7ae.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: ImmEnumInputContext9ed8e2f7ae.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: ImmEnumInputContext9ed8e2f7ae.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: ImmEnumInputContext9ed8e2f7ae.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: ImmEnumInputContext9ed8e2f7ae.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: ImmEnumInputContext9ed8e2f7ae.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: ImmEnumInputContext9ed8e2f7ae.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\oz9Blof9tN.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 2FB75800E24C988F6C303CBA6166C7C4
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\Installer\MSI460B.tmp "C:\Windows\Installer\MSI460B.tmp" /DontWait /HideWindow "C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe "C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe"
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 2FB75800E24C988F6C303CBA6166C7C4 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\Installer\MSI460B.tmp "C:\Windows\Installer\MSI460B.tmp" /DontWait /HideWindow "C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Installer\MSI460B.tmp Section loaded: msi.dll Jump to behavior
Source: C:\Windows\Installer\MSI460B.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Installer\MSI460B.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Installer\MSI460B.tmp Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\Installer\MSI460B.tmp Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\Installer\MSI460B.tmp Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Installer\MSI460B.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 Jump to behavior
Source: oz9Blof9tN.msi Static file information: File size 2541568 > 1048576
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbD source: MSI460B.tmp, 00000004.00000002.2007232796.000000000054E000.00000002.00000001.01000000.00000003.sdmp, MSI460B.tmp, 00000004.00000000.1999454439.000000000054E000.00000002.00000001.01000000.00000003.sdmp, oz9Blof9tN.msi, MSI458D.tmp.1.dr, MSI460B.tmp.1.dr, 4b42f7.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: oz9Blof9tN.msi, MSI4440.tmp.1.dr, 4b42f7.msi.1.dr, MSI452E.tmp.1.dr, MSI43E2.tmp.1.dr, MSI44DF.tmp.1.dr, MSI4480.tmp.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: MSI460B.tmp, 00000004.00000002.2007232796.000000000054E000.00000002.00000001.01000000.00000003.sdmp, MSI460B.tmp, 00000004.00000000.1999454439.000000000054E000.00000002.00000001.01000000.00000003.sdmp, oz9Blof9tN.msi, MSI458D.tmp.1.dr, MSI460B.tmp.1.dr, 4b42f7.msi.1.dr
PE file contains sections with non-standard names
Source: ImmEnumInputContext9ed8e2f7ae.exe.1.dr Static PE information: section name: .xdata
Source: ImmEnumInputContext9ed8e2f7ae.exe.1.dr Static PE information: section name: .symtab
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Installer\MSI460B.tmp Code function: 4_2_00529DD0 push ecx; ret 4_2_00529DE3
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_3_0000025F7CB5508E push edi; iretd 5_3_0000025F7CB5508F
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_3_0000025F7CB508EE push ss; iretd 5_3_0000025F7CB508F5
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_3_0000025F7CB529A1 push ds; ret 5_3_0000025F7CB529F7
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_3_0000025F7CB503E2 push cs; retf 5_3_0000025F7CB503E3
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_0000025F7CBA935D push edi; iretd 5_2_0000025F7CBA935E
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_0000025F7CBAAD58 push ebp; iretd 5_2_0000025F7CBAAD59
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_0000025F7CBA971E push cs; retf 5_2_0000025F7CBA971F
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_0000025F7CBB977E push EC9DD3C7h; retf 5_2_0000025F7CBB978C
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_0000025F7CBCA86F push ebp; iretd 5_2_0000025F7CBCA870
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_0000025F7CBCA84F push ebp; iretd 5_2_0000025F7CBCA850
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_0000025F7CBAB91C pushad ; retf 5_2_0000025F7CBAB91D
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_0000025F7CBAF901 push ebx; iretd 5_2_0000025F7CBAF902
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_0000025F7CBCA898 push ebp; iretd 5_2_0000025F7CBCA899

Persistence and Installation Behavior
barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\System32\msiexec.exe Executable created and started: C:\Windows\Installer\MSI460B.tmp Jump to behavior
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI4440.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI460B.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI43E2.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI44DF.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI4480.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI452E.tmp Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI4440.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI460B.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI43E2.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI44DF.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI4480.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI452E.tmp Jump to dropped file
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_01034E60 rdtscp 5_2_01034E60
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI4440.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI43E2.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI44DF.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI4480.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI452E.tmp Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Windows\Installer\MSI460B.tmp Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Windows\Installer\MSI460B.tmp API coverage: 4.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe TID: 6052 Thread sleep time: -39873s >= -30000s Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Installer\MSI460B.tmp Code function: 4_2_00540A10 FindFirstFileExW, 4_2_00540A10
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_010021E0 GetProcessAffinityMask,GetSystemInfo, 5_2_010021E0
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Thread delayed: delay time: 39873 Jump to behavior
Source: ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.2308728075.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000002.3238431748.0000025F75F24000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000002.3238431748.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp, ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000003.3017520327.0000025F75F82000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: ImmEnumInputContext9ed8e2f7ae.exe, 00000005.00000002.3238431748.0000025F75F24000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Potentially malicious time measurement code found
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_01034E60 Start: 01034E69 End: 01034E7F 5_2_01034E60
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_01034E60 rdtscp 5_2_01034E60
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\Installer\MSI460B.tmp Code function: 4_2_005124B5 IsDebuggerPresent,OutputDebugStringW, 4_2_005124B5
Contains functionality to read the PEB
Source: C:\Windows\Installer\MSI460B.tmp Code function: 4_2_0054080C mov eax, dword ptr fs:[00000030h] 4_2_0054080C
Source: C:\Windows\Installer\MSI460B.tmp Code function: 4_2_00539C75 mov ecx, dword ptr fs:[00000030h] 4_2_00539C75
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\Installer\MSI460B.tmp Code function: 4_2_005025B0 GetProcessHeap, 4_2_005025B0
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\Installer\MSI460B.tmp "C:\Windows\Installer\MSI460B.tmp" /DontWait /HideWindow "C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe" Jump to behavior
Source: C:\Windows\Installer\MSI460B.tmp Code function: 4_2_0052A145 SetUnhandledExceptionFilter, 4_2_0052A145
Source: C:\Windows\Installer\MSI460B.tmp Code function: 4_2_0052976D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_0052976D
Source: C:\Windows\Installer\MSI460B.tmp Code function: 4_2_0052DFE6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_0052DFE6
Source: C:\Windows\Installer\MSI460B.tmp Code function: 4_2_00529FB1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00529FB1
Contains functionality to launch a program with higher privileges
Source: C:\Windows\Installer\MSI460B.tmp Code function: 4_2_00507840 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,Sleep,EnumWindows,SetWindowPos,WaitForSingleObject,GetExitCodeProcess,GetWindowThreadProcessId,GetWindowLongW, 4_2_00507840
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\Installer\MSI460B.tmp Code function: 4_2_00529BFC cpuid 4_2_00529BFC
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Installer\MSI460B.tmp Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 4_2_00544039
Source: C:\Windows\Installer\MSI460B.tmp Code function: EnumSystemLocalesW, 4_2_0053E02D
Source: C:\Windows\Installer\MSI460B.tmp Code function: GetLocaleInfoW, 4_2_0054413F
Source: C:\Windows\Installer\MSI460B.tmp Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 4_2_0054420E
Source: C:\Windows\Installer\MSI460B.tmp Code function: GetLocaleInfoW, 4_2_0053E5AA
Source: C:\Windows\Installer\MSI460B.tmp Code function: GetLocaleInfoEx,FormatMessageA, 4_2_00512831
Source: C:\Windows\Installer\MSI460B.tmp Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 4_2_0054388F
Source: C:\Windows\Installer\MSI460B.tmp Code function: EnumSystemLocalesW, 4_2_00543B37
Source: C:\Windows\Installer\MSI460B.tmp Code function: EnumSystemLocalesW, 4_2_00543B82
Source: C:\Windows\Installer\MSI460B.tmp Code function: EnumSystemLocalesW, 4_2_00543C1D
Source: C:\Windows\Installer\MSI460B.tmp Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 4_2_00543CB0
Source: C:\Windows\Installer\MSI460B.tmp Code function: GetLocaleInfoEx, 4_2_00528EB7
Source: C:\Windows\Installer\MSI460B.tmp Code function: GetLocaleInfoW, 4_2_00543F10
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Installer\MSI460B.tmp Code function: 4_2_0052A205 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 4_2_0052A205
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Code function: 5_2_0000025F7CBB4E28 GetUserNameA,strrchr,_snprintf, 5_2_0000025F7CBB4E28
Source: C:\Windows\Installer\MSI460B.tmp Code function: 4_2_0053EA34 GetTimeZoneInformation, 4_2_0053EA34
Source: C:\Users\user\AppData\Roaming\cloudchat.inc\cloudchat\ImmEnumInputContext9ed8e2f7ae.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Remote Access Functionality
barindex
Yara detected CobaltStrike
Source: Yara match File source: 00000005.00000002.3238249247.000000C000100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2002510111.0000025F7CB50000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3239674052.0000025F7D900000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3239202728.0000025F7CBD1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ImmEnumInputContext9ed8e2f7ae.exe PID: 6304, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1483409 Sample: oz9Blof9tN.msi Startdate: 27/07/2024 Architecture: WINDOWS Score: 100 31 Multi AV Scanner detection for domain / URL 2->31 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 4 other signatures 2->37 6 msiexec.exe 14 41 2->6         started        10 ImmEnumInputContext9ed8e2f7ae.exe 8 1 2->10         started        13 msiexec.exe 2 2->13         started        process3 dnsIp4 21 C:\Windows\Installer\MSI460B.tmp, PE32 6->21 dropped 23 C:\Windows\Installer\MSI452E.tmp, PE32 6->23 dropped 25 C:\Windows\Installer\MSI44DF.tmp, PE32 6->25 dropped 27 4 other malicious files 6->27 dropped 39 Drops executables to the windows directory (C:\Windows) and starts them 6->39 15 msiexec.exe 6->15         started        17 MSI460B.tmp 6->17         started        29 156.255.2.100, 18896, 49704, 49706 ANCHGLOBAL-AS-APAnchnetAsiaLimitedHK Seychelles 10->29 41 Multi AV Scanner detection for dropped file 10->41 43 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 10->43 45 Potentially malicious time measurement code found 10->45 19 conhost.exe 10->19         started        file5 signatures6 process7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
156.255.2.100
 unknown Seychelles
137443 ANCHGLOBAL-AS-APAnchnetAsiaLimitedHK true

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
156.255.2.100 true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown