Windows Analysis Report
dK5DtwHlOm.exe

Overview

General Information

Sample name: dK5DtwHlOm.exe
renamed because original name is a hash value
Original sample name: 11471fefe1cc0d23ed54aa434ea7c0ccbfef0350457235346936822fbcb39f43.exe
Analysis ID: 1554992
MD5: 932b9920b8fdecc6e2fd9c0aa298ffbc
SHA1: 6a058ce158711c8dd50cd914b49e40d55f0377c0
SHA256: 11471fefe1cc0d23ed54aa434ea7c0ccbfef0350457235346936822fbcb39f43
Tags: ConsolHQLTDexeuser-JAMESWT_MHT
Infos:

Detection

Score: 8
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Compliance

Score: 47
Range: 0 - 100

Signatures

Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Compliance
barindex
Uses 32bit PE files
Source: dK5DtwHlOm.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: dK5DtwHlOm.exe Static PE information: certificate valid
Source: dK5DtwHlOm.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: wininet.pdb source: dK5DtwHlOm.exe, 00000000.00000003.1711549640.00000000058F1000.00000004.00000020.00020000.00000000.sdmp, shi9909.tmp.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\AICustAct.pdby source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9D2F.tmp.1.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9D2F.tmp.1.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: dK5DtwHlOm.exe, decoder.dll.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\Prereq.pdbo source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\Prereq.pdb source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, Installer.msi.0.dr
Source: Binary string: wininet.pdbUGP source: dK5DtwHlOm.exe, 00000000.00000003.1711549640.00000000058F1000.00000004.00000020.00020000.00000000.sdmp, shi9909.tmp.0.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: dK5DtwHlOm.exe
Source: Binary string: D:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI99D6.tmp.0.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: dK5DtwHlOm.exe, decoder.dll.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI99D6.tmp.0.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\SysWOW64\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B02380 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 0_2_00B02380
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_009FAB80 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,PathIsUNCW, 0_2_009FAB80
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00AE4DA0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW, 0_2_00AE4DA0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B03220 FindFirstFileW,FindClose, 0_2_00B03220
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00AE5370 FindFirstFileW,GetLastError,FindClose, 0_2_00AE5370
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00AC8230 FindFirstFileW,FindNextFileW,FindClose, 0_2_00AC8230
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B0C530 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00B0C530
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B208D0 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00B208D0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B0C930 FindFirstFileW,FindClose, 0_2_00B0C930
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00AE4A10 _wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,_wcsrchr, 0_2_00AE4A10
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00AECF00 FindFirstFileW,FindClose,FindClose, 0_2_00AECF00
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00AFF260 FindFirstFileW,FindClose, 0_2_00AFF260
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B0F8A0 FindFirstFileW,FindClose, 0_2_00B0F8A0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B0B500 _wcschr,_wcsrchr,_wcsrchr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection, 0_2_00B0B500
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49735
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49743
Source: dK5DtwHlOm.exe String found in binary or memory: RShlwapi.dllShell32.dllmsiexec.exeSoftware\JavaSoft\Java Development Kit\binSoftware\JavaSoft\Java Runtime Environment\JavaHomeFlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmpGETattachment.partfilenamecharset= "POSTutf-8DLD123US-ASCIIAdvancedInstallerutf-16ISO-8859-1*/*HTTP/1.0Local Network ServerFTP ServerContent-Type: application/x-www-form-urlencoded; charset=utf-8 equals www.yahoo.com (Yahoo)
Source: dK5DtwHlOm.exe, 00000000.00000002.1792072343.0000000000BF9000.00000002.00000001.01000000.00000003.sdmp, dK5DtwHlOm.exe, 00000000.00000000.1675013179.0000000000BF9000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: Shlwapi.dllShell32.dllmsiexec.exeSoftware\JavaSoft\Java Development Kit\binSoftware\JavaSoft\Java Runtime Environment\JavaHomeFlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmpGETattachment.partfilenamecharset= "POSTutf-8DLD123US-ASCIIAdvancedInstallerutf-16ISO-8859-1*/*HTTP/1.0Local Network ServerFTP ServerContent-Type: application/x-www-form-urlencoded; charset=utf-8 equals www.yahoo.com (Yahoo)
Source: shi9909.tmp.0.dr String found in binary or memory: http://.css
Source: shi9909.tmp.0.dr String found in binary or memory: http://.jpg
Source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1789737539.0000000004333000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1789737539.0000000004333000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1789737539.0000000004333000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1789737539.0000000004333000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1789737539.0000000004333000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1789737539.0000000004333000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: shi9909.tmp.0.dr String found in binary or memory: http://html4/loose.dtd
Source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1789737539.0000000004333000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1789737539.0000000004333000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.dr String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.dr String found in binary or memory: http://t2.symcb.com0
Source: dK5DtwHlOm.exe, 00000000.00000003.1790227644.0000000004323000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791229425.000000000432C000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000002.1793499977.0000000004331000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791696038.0000000004330000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.dr String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: dK5DtwHlOm.exe, 00000000.00000003.1790227644.0000000004323000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791229425.000000000432C000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000002.1793499977.0000000004331000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791696038.0000000004330000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.dr String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: dK5DtwHlOm.exe, 00000000.00000003.1790227644.0000000004323000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791229425.000000000432C000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000002.1793499977.0000000004331000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791696038.0000000004330000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.dr String found in binary or memory: http://tl.symcd.com0&
Source: dK5DtwHlOm.exe, 00000000.00000003.1790227644.0000000004323000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791229425.000000000432C000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000002.1793499977.0000000004331000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791696038.0000000004330000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: dK5DtwHlOm.exe, 00000000.00000003.1790227644.0000000004323000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791229425.000000000432C000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000002.1793499977.0000000004331000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791696038.0000000004330000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.dr String found in binary or memory: https://www.advancedinstaller.com
Source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1789737539.0000000004333000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: dK5DtwHlOm.exe, 00000000.00000003.1790227644.0000000004323000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791229425.000000000432C000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000002.1793499977.0000000004331000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791696038.0000000004330000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.dr String found in binary or memory: https://www.thawte.com/cps0/
Source: dK5DtwHlOm.exe, 00000000.00000003.1790227644.0000000004323000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791229425.000000000432C000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000002.1793499977.0000000004331000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1791696038.0000000004330000.00000004.00000020.00020000.00000000.sdmp, dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI99D6.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr, MSI9D2F.tmp.1.dr String found in binary or memory: https://www.thawte.com/repository0W
Contains functionality to call native functions
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B22390 NtdllDefWindowProc_W, 0_2_00B22390
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00AA2620 GetSystemDirectoryW,_wcschr,LoadLibraryExW,NtdllDefWindowProc_W, 0_2_00AA2620
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00A88100 NtdllDefWindowProc_W, 0_2_00A88100
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00A40110 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W, 0_2_00A40110
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_009F2330 NtdllDefWindowProc_W, 0_2_009F2330
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_009FC750 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection, 0_2_009FC750
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_009F8840 NtdllDefWindowProc_W, 0_2_009F8840
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_009F89B0 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W, 0_2_009F89B0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_009EEBF0 GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W, 0_2_009EEBF0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00A40C9E GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW, 0_2_00A40C9E
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00A40C28 GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW, 0_2_00A40C28
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00A40D5D GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW, 0_2_00A40D5D
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_009EF1A0 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,NtdllDefWindowProc_W,SysFreeString, 0_2_009EF1A0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_009EF7D0 NtdllDefWindowProc_W, 0_2_009EF7D0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00A0D760 NtdllDefWindowProc_W, 0_2_00A0D760
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_009F1740 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow, 0_2_009F1740
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00A018D0 NtdllDefWindowProc_W, 0_2_00A018D0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_009F1D70 NtdllDefWindowProc_W, 0_2_009F1D70
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\5b9aaf.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI9D2F.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI9DCC.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI9E0C.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI9E2C.tmp Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI9D2F.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B1C120 0_2_00B1C120
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_009FAB80 0_2_009FAB80
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00AF8C40 0_2_00AF8C40
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B215C0 0_2_00B215C0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00ABC150 0_2_00ABC150
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00A062B0 0_2_00A062B0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00A044A0 0_2_00A044A0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_009FE540 0_2_009FE540
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B867E0 0_2_00B867E0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_009F8DF0 0_2_009F8DF0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B8EF3A 0_2_00B8EF3A
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_009E3010 0_2_009E3010
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00AC3460 0_2_00AC3460
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00A15680 0_2_00A15680
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B7F7DC 0_2_00B7F7DC
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00A03890 0_2_00A03890
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B919A0 0_2_00B919A0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00A079D0 0_2_00A079D0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00A3FAD0 0_2_00A3FAD0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B99D65 0_2_00B99D65
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_009E3E25 0_2_009E3E25
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: String function: 009E9120 appears 38 times
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: String function: 009E87D0 appears 404 times
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: String function: 00ADF720 appears 61 times
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: String function: 009E70D0 appears 36 times
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: String function: 009E7160 appears 50 times
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: String function: 00A13BA0 appears 90 times
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: String function: 009E9990 appears 60 times
Sample file is different than original file name gathered from version info
Source: dK5DtwHlOm.exe, 00000000.00000000.1675223362.0000000000C88000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameInstaller.exe6 vs dK5DtwHlOm.exe
Source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs dK5DtwHlOm.exe
Source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePrereq.dllF vs dK5DtwHlOm.exe
Source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelzmaextractor.dllF vs dK5DtwHlOm.exe
Source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAICustAct.dllF vs dK5DtwHlOm.exe
Source: dK5DtwHlOm.exe, 00000000.00000003.1677250230.000000000120F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDecoder.dllF vs dK5DtwHlOm.exe
Source: dK5DtwHlOm.exe, 00000000.00000003.1711549640.00000000058F1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewininet.dllD vs dK5DtwHlOm.exe
Source: dK5DtwHlOm.exe Binary or memory string: OriginalFileNameInstaller.exe6 vs dK5DtwHlOm.exe
Source: dK5DtwHlOm.exe Binary or memory string: OriginalFilenameDecoder.dllF vs dK5DtwHlOm.exe
Uses 32bit PE files
Source: dK5DtwHlOm.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: shi9909.tmp.0.dr Binary string: \Device\NameResTrk\RecordNrtCloneOpenPacket
Source: classification engine Classification label: clean8.winEXE@8/13@0/0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00AE3200 FormatMessageW,GetLastError, 0_2_00AE3200
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B0DAE0 GetDiskFreeSpaceExW, 0_2_00B0DAE0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B27B10 CoCreateInstance, 0_2_00B27B10
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00A7AD00 FindResourceW,LoadResource,LockResource,SizeofResource, 0_2_00A7AD00
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe File created: C:\Users\user\AppData\Roaming\Restricted editor savers Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe File created: C:\Users\user\AppData\Local\Temp\shi9909.tmp Jump to behavior
Source: dK5DtwHlOm.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe File read: C:\Users\user\Desktop\dK5DtwHlOm.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\dK5DtwHlOm.exe "C:\Users\user\Desktop\dK5DtwHlOm.exe"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9AEE7218D2031C6F2AE76EA651368327 C
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Restricted editor savers\EditPro Ai 1.131.2\install\9629E8B\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\dK5DtwHlOm.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488655 " AI_EUIMSI=""
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A37C39DFED73779FFC80EA38DF9643CA
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Restricted editor savers\EditPro Ai 1.131.2\install\9629E8B\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\dK5DtwHlOm.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488655 " AI_EUIMSI="" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9AEE7218D2031C6F2AE76EA651368327 C Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A37C39DFED73779FFC80EA38DF9643CA Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: davhlpr.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: lpk.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: dK5DtwHlOm.exe Static PE information: certificate valid
Source: dK5DtwHlOm.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: dK5DtwHlOm.exe Static file information: File size 51730672 > 1048576
Source: dK5DtwHlOm.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x217a00
Source: dK5DtwHlOm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: dK5DtwHlOm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: dK5DtwHlOm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: dK5DtwHlOm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dK5DtwHlOm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: dK5DtwHlOm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: dK5DtwHlOm.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: dK5DtwHlOm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wininet.pdb source: dK5DtwHlOm.exe, 00000000.00000003.1711549640.00000000058F1000.00000004.00000020.00020000.00000000.sdmp, shi9909.tmp.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\AICustAct.pdby source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9D2F.tmp.1.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI9977.tmp.0.dr, MSI9DCC.tmp.1.dr, MSI9E0C.tmp.1.dr, Installer.msi.0.dr, MSI9D2F.tmp.1.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: dK5DtwHlOm.exe, decoder.dll.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\Prereq.pdbo source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\Prereq.pdb source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004597000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, Installer.msi.0.dr
Source: Binary string: wininet.pdbUGP source: dK5DtwHlOm.exe, 00000000.00000003.1711549640.00000000058F1000.00000004.00000020.00020000.00000000.sdmp, shi9909.tmp.0.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: dK5DtwHlOm.exe
Source: Binary string: D:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI99D6.tmp.0.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: dK5DtwHlOm.exe, decoder.dll.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: dK5DtwHlOm.exe, 00000000.00000003.1706551117.0000000004400000.00000004.00001000.00020000.00000000.sdmp, 5b9aaf.msi.1.dr, MSI99D6.tmp.0.dr, Installer.msi.0.dr, MSI9E2C.tmp.1.dr
Source: dK5DtwHlOm.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: dK5DtwHlOm.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: dK5DtwHlOm.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: dK5DtwHlOm.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: dK5DtwHlOm.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains a suspicious time stamp
Source: shi9909.tmp.0.dr Static PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B20560 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00B20560
PE file contains sections with non-standard names
Source: shi9909.tmp.0.dr Static PE information: section name: .wpp_sf
Source: shi9909.tmp.0.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_3_011DBF88 push ds; retf 0009h 0_3_011DBF8A
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_3_011CC9A2 pushad ; iretd 0_3_011CCEA9
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_3_011D31C6 push esp; iretd 0_3_011D321C
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_3_011D32BB push edx; retf 0_3_011D32BC
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_3_011D12A8 push eax; iretd 0_3_011D12A9
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_3_0120E16B push es; ret 0_3_0120E16E
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_3_01206351 push es; ret 0_3_01206772
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_3_0120D1A8 push eax; iretd 0_3_0120D1B5
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_3_01206785 push es; retf 0_3_01206786
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_3_01206787 push es; iretd 0_3_01206792
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_3_0120CDE0 push eax; iretd 0_3_0120CDE1
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_3_0120DEDC push es; retf 0_3_0120DFC6
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00A860EB push ecx; mov dword ptr [esp], 3F800000h 0_2_00A862BE
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B7771E push ecx; ret 0_2_00B77731
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_009F3B2B push esi; ret 0_2_009F3B2D
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_009F5CB0 push ecx; mov dword ptr [esp], ecx 0_2_009F5CB1
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00AC3D60 push ecx; mov dword ptr [esp], 3F800000h 0_2_00AC3E96
Drops PE files
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe File created: C:\Users\user\AppData\Roaming\Restricted editor savers\EditPro Ai 1.131.2\install\decoder.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI9E0C.tmp Jump to dropped file
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe File created: C:\Users\user\AppData\Local\Temp\MSI99D6.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI9DCC.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI9D2F.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI9E2C.tmp Jump to dropped file
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe File created: C:\Users\user\AppData\Local\Temp\MSI9977.tmp Jump to dropped file
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe File created: C:\Users\user\AppData\Local\Temp\shi9909.tmp Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI9E0C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI9DCC.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI9D2F.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI9E2C.tmp Jump to dropped file
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Restricted editor savers\EditPro Ai 1.131.2\install\decoder.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI9E0C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI9DCC.tmp Jump to dropped file
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI99D6.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI9D2F.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI9E2C.tmp Jump to dropped file
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9977.tmp Jump to dropped file
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi9909.tmp Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe File Volume queried: C:\Users\user\AppData\Roaming FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe File Volume queried: C:\Users\user\AppData\Roaming\Restricted editor savers\EditPro Ai 1.131.2\install FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe File Volume queried: C:\Users\user\AppData\Roaming\Restricted editor savers\EditPro Ai 1.131.2\install\9629E8B FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B02380 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 0_2_00B02380
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_009FAB80 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,PathIsUNCW, 0_2_009FAB80
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00AE4DA0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW, 0_2_00AE4DA0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B03220 FindFirstFileW,FindClose, 0_2_00B03220
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00AE5370 FindFirstFileW,GetLastError,FindClose, 0_2_00AE5370
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00AC8230 FindFirstFileW,FindNextFileW,FindClose, 0_2_00AC8230
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B0C530 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00B0C530
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B208D0 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00B208D0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B0C930 FindFirstFileW,FindClose, 0_2_00B0C930
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00AE4A10 _wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,_wcsrchr, 0_2_00AE4A10
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00AECF00 FindFirstFileW,FindClose,FindClose, 0_2_00AECF00
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00AFF260 FindFirstFileW,FindClose, 0_2_00AFF260
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B0F8A0 FindFirstFileW,FindClose, 0_2_00B0F8A0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B0B500 _wcschr,_wcsrchr,_wcsrchr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection, 0_2_00B0B500
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B7411D VirtualQuery,GetSystemInfo, 0_2_00B7411D
Source: MSI9E2C.tmp.1.dr Binary or memory string: RegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B76437 IsDebuggerPresent,OutputDebugStringW, 0_2_00B76437
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B20560 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00B20560
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B7674C mov esi, dword ptr fs:[00000030h] 0_2_00B7674C
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B98A0E mov eax, dword ptr fs:[00000030h] 0_2_00B98A0E
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B8D840 mov ecx, dword ptr fs:[00000030h] 0_2_00B8D840
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B767B8 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree, 0_2_00B767B8
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00A12530 __set_se_translator,SetUnhandledExceptionFilter, 0_2_00A12530
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B771E8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00B771E8
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B7BEA3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00B7BEA3
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Process created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\restricted editor savers\editpro ai 1.131.2\install\9629e8b\installer.msi" ai_setupexepath=c:\users\user\desktop\dk5dtwhlom.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1731488655 " ai_euimsi=""
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Process created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\restricted editor savers\editpro ai 1.131.2\install\9629e8b\installer.msi" ai_setupexepath=c:\users\user\desktop\dk5dtwhlom.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1731488655 " ai_euimsi="" Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B0FD20 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle, 0_2_00B0FD20
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: GetLocaleInfoW,GetLocaleInfoW,MsgWaitForMultipleObjectsEx,MsgWaitForMultipleObjectsEx,PeekMessageW,TranslateMessage,DispatchMessageW,PeekMessageW,TranslateMessage,DispatchMessageW,MsgWaitForMultipleObjectsEx, 0_2_00B04F10
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: EnumSystemLocalesW, 0_2_00B90DD9
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_00B94D50
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: EnumSystemLocalesW, 0_2_00B94FF2
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: GetLocaleInfoW, 0_2_00B94F4B
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: EnumSystemLocalesW, 0_2_00B950D8
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: EnumSystemLocalesW, 0_2_00B9503D
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00B95163
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: GetLocaleInfoW, 0_2_00B953B6
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: GetLocaleInfoW, 0_2_00B91356
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00B954DF
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: GetLocaleInfoW, 0_2_00B955E5
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00B956B4
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B1C8F0 CreateNamedPipeW,CreateFileW, 0_2_00B1C8F0
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B763AD GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime, 0_2_00B763AD
Source: C:\Users\user\Desktop\dK5DtwHlOm.exe Code function: 0_2_00B1B490 GetUserNameW,GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW, 0_2_00B1B490
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1554992 Sample: dK5DtwHlOm.exe Startdate: 13/11/2024 Architecture: WINDOWS Score: 8 5 msiexec.exe 3 7 2->5         started        8 dK5DtwHlOm.exe 38 2->8         started        file3 16 C:\Windows\Installer\MSI9E2C.tmp, PE32 5->16 dropped 18 C:\Windows\Installer\MSI9E0C.tmp, PE32 5->18 dropped 20 C:\Windows\Installer\MSI9DCC.tmp, PE32 5->20 dropped 22 C:\Windows\Installer\MSI9D2F.tmp, PE32 5->22 dropped 10 msiexec.exe 5->10         started        12 msiexec.exe 5->12         started        24 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 8->24 dropped 26 C:\Users\user\AppData\Local\...\shi9909.tmp, PE32+ 8->26 dropped 28 C:\Users\user\AppData\Local\...\MSI99D6.tmp, PE32 8->28 dropped 30 C:\Users\user\AppData\Local\...\MSI9977.tmp, PE32 8->30 dropped 14 msiexec.exe 3 8->14         started        process4
No contacted IP infos