Windows Analysis Report
L7eGkXK1vw.exe

Overview

General Information

Sample name: L7eGkXK1vw.exe
renamed because original name is a hash value
Original sample name: 5a7889d8d11a64a8dd380049b9e1db2c7a20e9fa7f66b4538b281cd1e5c9d0e7.exe
Analysis ID: 1554993
MD5: b4826e1862bf50df8e729c8fadeb9f0b
SHA1: cc3b95c66ead4d0bc695a5c87241f6eda51febbb
SHA256: 5a7889d8d11a64a8dd380049b9e1db2c7a20e9fa7f66b4538b281cd1e5c9d0e7
Tags: ConsolHQLTDexeuser-JAMESWT_MHT
Infos:

Detection

Score: 9
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Compliance

Score: 47
Range: 0 - 100

Signatures

Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Compliance
barindex
Uses 32bit PE files
Source: L7eGkXK1vw.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: L7eGkXK1vw.exe Static PE information: certificate valid
Source: L7eGkXK1vw.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: wininet.pdb source: L7eGkXK1vw.exe, 00000000.00000003.2028102721.0000000005D7C000.00000004.00000020.00020000.00000000.sdmp, shiCF5B.tmp.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\AICustAct.pdby source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: L7eGkXK1vw.exe, decoder.dll.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\Prereq.pdbo source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, 44d18d.msi.2.dr, Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, 44d18d.msi.2.dr, Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\Prereq.pdb source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, 44d18d.msi.2.dr, Installer.msi.0.dr
Source: Binary string: wininet.pdbUGP source: L7eGkXK1vw.exe, 00000000.00000003.2028102721.0000000005D7C000.00000004.00000020.00020000.00000000.sdmp, shiCF5B.tmp.0.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: L7eGkXK1vw.exe
Source: Binary string: D:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: L7eGkXK1vw.exe, decoder.dll.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\SysWOW64\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_01062380 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 0_2_01062380
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00F5AB80 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,PathIsUNCW, 0_2_00F5AB80
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_01044DA0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW, 0_2_01044DA0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_01045370 FindFirstFileW,GetLastError,FindClose, 0_2_01045370
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_01063220 FindFirstFileW,FindClose, 0_2_01063220
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_01028230 FindFirstFileW,FindNextFileW,FindClose, 0_2_01028230
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_0106C530 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_0106C530
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_0106C930 FindFirstFileW,FindClose, 0_2_0106C930
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_010808D0 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_010808D0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_01044A10 _wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,_wcsrchr, 0_2_01044A10
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_0104CF00 FindFirstFileW,FindClose,FindClose, 0_2_0104CF00
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_0105F260 FindFirstFileW,FindClose, 0_2_0105F260
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_0106F8A0 FindFirstFileW,FindClose, 0_2_0106F8A0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_0106B500 _wcschr,_wcsrchr,_wcsrchr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection, 0_2_0106B500
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.5:49709
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.5:49894
Source: L7eGkXK1vw.exe String found in binary or memory: RShlwapi.dllShell32.dllmsiexec.exeSoftware\JavaSoft\Java Development Kit\binSoftware\JavaSoft\Java Runtime Environment\JavaHomeFlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmpGETattachment.partfilenamecharset= "POSTutf-8DLD123US-ASCIIAdvancedInstallerutf-16ISO-8859-1*/*HTTP/1.0Local Network ServerFTP ServerContent-Type: application/x-www-form-urlencoded; charset=utf-8 equals www.yahoo.com (Yahoo)
Source: L7eGkXK1vw.exe, 00000000.00000000.1991668484.0000000001159000.00000002.00000001.01000000.00000003.sdmp, L7eGkXK1vw.exe, 00000000.00000002.2127321622.0000000001159000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: Shlwapi.dllShell32.dllmsiexec.exeSoftware\JavaSoft\Java Development Kit\binSoftware\JavaSoft\Java Runtime Environment\JavaHomeFlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmpGETattachment.partfilenamecharset= "POSTutf-8DLD123US-ASCIIAdvancedInstallerutf-16ISO-8859-1*/*HTTP/1.0Local Network ServerFTP ServerContent-Type: application/x-www-form-urlencoded; charset=utf-8 equals www.yahoo.com (Yahoo)
Source: shiCF5B.tmp.0.dr String found in binary or memory: http://.css
Source: shiCF5B.tmp.0.dr String found in binary or memory: http://.jpg
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: shiCF5B.tmp.0.dr String found in binary or memory: http://html4/loose.dtd
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.dr String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.dr String found in binary or memory: http://t2.symcb.com0
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.dr String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.dr String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.dr String found in binary or memory: http://tl.symcd.com0&
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.dr String found in binary or memory: https://www.advancedinstaller.com
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.dr String found in binary or memory: https://www.thawte.com/cps0/
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.dr String found in binary or memory: https://www.thawte.com/repository0W
Contains functionality to call native functions
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_01082390 NtdllDefWindowProc_W, 0_2_01082390
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_01002620 GetSystemDirectoryW,_wcschr,LoadLibraryExW,NtdllDefWindowProc_W, 0_2_01002620
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00FA0110 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W, 0_2_00FA0110
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00FE8100 NtdllDefWindowProc_W, 0_2_00FE8100
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00F52330 NtdllDefWindowProc_W, 0_2_00F52330
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00F5C750 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection, 0_2_00F5C750
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00F58840 NtdllDefWindowProc_W, 0_2_00F58840
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00F589B0 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W, 0_2_00F589B0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00F4EBF0 GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W, 0_2_00F4EBF0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00FA0C9E GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW, 0_2_00FA0C9E
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00FA0C28 GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW, 0_2_00FA0C28
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00FA0D5D GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW, 0_2_00FA0D5D
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00F96FA0 NtdllDefWindowProc_W, 0_2_00F96FA0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00F4F1A0 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,NtdllDefWindowProc_W,SysFreeString, 0_2_00F4F1A0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00F4F7D0 NtdllDefWindowProc_W, 0_2_00F4F7D0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00F6D760 NtdllDefWindowProc_W, 0_2_00F6D760
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00F51740 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow, 0_2_00F51740
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00F618D0 NtdllDefWindowProc_W, 0_2_00F618D0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00F51D70 NtdllDefWindowProc_W, 0_2_00F51D70
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\44d18d.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID2B6.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID48C.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID4CB.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID50B.tmp Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSID2B6.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_0107C120 0_2_0107C120
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_0101C150 0_2_0101C150
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00F5AB80 0_2_00F5AB80
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_01058C40 0_2_01058C40
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00F662B0 0_2_00F662B0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00F644A0 0_2_00F644A0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00F5E540 0_2_00F5E540
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_010F4801 0_2_010F4801
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00F58DF0 0_2_00F58DF0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_010EEF3A 0_2_010EEF3A
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00F43010 0_2_00F43010
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_010DF44E 0_2_010DF44E
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_01023460 0_2_01023460
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00F75680 0_2_00F75680
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_010DF7DC 0_2_010DF7DC
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00F63890 0_2_00F63890
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00F679D0 0_2_00F679D0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00F9FAD0 0_2_00F9FAD0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_010F9D65 0_2_010F9D65
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00F43E25 0_2_00F43E25
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: String function: 00F47160 appears 50 times
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: String function: 00F73BA0 appears 90 times
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: String function: 00F49990 appears 69 times
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: String function: 0103F720 appears 61 times
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: String function: 00F470D0 appears 36 times
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: String function: 00F487D0 appears 404 times
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: String function: 00F49120 appears 41 times
Sample file is different than original file name gathered from version info
Source: L7eGkXK1vw.exe, 00000000.00000003.1993768846.000000000188E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDecoder.dllF vs L7eGkXK1vw.exe
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs L7eGkXK1vw.exe
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePrereq.dllF vs L7eGkXK1vw.exe
Source: L7eGkXK1vw.exe, 00000000.00000002.2127426575.00000000011E8000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameInstaller.exe. vs L7eGkXK1vw.exe
Source: L7eGkXK1vw.exe, 00000000.00000003.2028102721.0000000005D7C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewininet.dllD vs L7eGkXK1vw.exe
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelzmaextractor.dllF vs L7eGkXK1vw.exe
Source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAICustAct.dllF vs L7eGkXK1vw.exe
Source: L7eGkXK1vw.exe Binary or memory string: OriginalFileNameInstaller.exe. vs L7eGkXK1vw.exe
Source: L7eGkXK1vw.exe Binary or memory string: OriginalFilenameDecoder.dllF vs L7eGkXK1vw.exe
Uses 32bit PE files
Source: L7eGkXK1vw.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: shiCF5B.tmp.0.dr Binary string: \Device\NameResTrk\RecordNrtCloneOpenPacket
Source: classification engine Classification label: clean9.winEXE@8/13@0/0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_01043200 FormatMessageW,GetLastError, 0_2_01043200
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_0106DAE0 GetDiskFreeSpaceExW, 0_2_0106DAE0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_01087B10 CoCreateInstance, 0_2_01087B10
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00FDAD00 FindResourceW,LoadResource,LockResource,SizeofResource, 0_2_00FDAD00
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe File created: C:\Users\user\AppData\Roaming\Customers suppliers spot report Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe File created: C:\Users\user\AppData\Local\Temp\shiCF5B.tmp Jump to behavior
Source: L7eGkXK1vw.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe File read: C:\Users\user\Desktop\L7eGkXK1vw.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\L7eGkXK1vw.exe "C:\Users\user\Desktop\L7eGkXK1vw.exe"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding ACA38A334053287546358A7834586E97 C
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Customers suppliers spot report\AiEdit 1.0.0\install\ADBBE7B\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\L7eGkXK1vw.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488680 " AI_EUIMSI=""
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C9C4CD5A6467721AC65AAF0E4F5DEE73
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Customers suppliers spot report\AiEdit 1.0.0\install\ADBBE7B\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\L7eGkXK1vw.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488680 " AI_EUIMSI="" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding ACA38A334053287546358A7834586E97 C Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C9C4CD5A6467721AC65AAF0E4F5DEE73 Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: davhlpr.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: lpk.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: L7eGkXK1vw.exe Static PE information: certificate valid
Source: L7eGkXK1vw.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: L7eGkXK1vw.exe Static file information: File size 51727144 > 1048576
Source: L7eGkXK1vw.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x217a00
Source: L7eGkXK1vw.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: L7eGkXK1vw.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: L7eGkXK1vw.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: L7eGkXK1vw.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: L7eGkXK1vw.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: L7eGkXK1vw.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: L7eGkXK1vw.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: L7eGkXK1vw.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wininet.pdb source: L7eGkXK1vw.exe, 00000000.00000003.2028102721.0000000005D7C000.00000004.00000020.00020000.00000000.sdmp, shiCF5B.tmp.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\AICustAct.pdby source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, MSID48C.tmp.2.dr, 44d18d.msi.2.dr, MSID027.tmp.0.dr, MSID2B6.tmp.2.dr, MSID4CB.tmp.2.dr, Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: L7eGkXK1vw.exe, decoder.dll.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\Prereq.pdbo source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, 44d18d.msi.2.dr, Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, 44d18d.msi.2.dr, Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\Prereq.pdb source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.00000000049E7000.00000004.00001000.00020000.00000000.sdmp, 44d18d.msi.2.dr, Installer.msi.0.dr
Source: Binary string: wininet.pdbUGP source: L7eGkXK1vw.exe, 00000000.00000003.2028102721.0000000005D7C000.00000004.00000020.00020000.00000000.sdmp, shiCF5B.tmp.0.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: L7eGkXK1vw.exe
Source: Binary string: D:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.dr
Source: Binary string: D:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: L7eGkXK1vw.exe, decoder.dll.0.dr
Source: Binary string: D:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: L7eGkXK1vw.exe, 00000000.00000003.2024667164.0000000004850000.00000004.00001000.00020000.00000000.sdmp, 44d18d.msi.2.dr, MSID50B.tmp.2.dr, MSID0A5.tmp.0.dr, Installer.msi.0.dr
Source: L7eGkXK1vw.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: L7eGkXK1vw.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: L7eGkXK1vw.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: L7eGkXK1vw.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: L7eGkXK1vw.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains a suspicious time stamp
Source: shiCF5B.tmp.0.dr Static PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_01080560 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_01080560
PE file contains sections with non-standard names
Source: shiCF5B.tmp.0.dr Static PE information: section name: .wpp_sf
Source: shiCF5B.tmp.0.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_3_01875C80 push ecx; ret 0_3_01875C81
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_3_01875C80 push ecx; ret 0_3_01875C81
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_3_0187CB92 push eax; retf 0_3_0187CBA1
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_3_0187CB92 push eax; retf 0_3_0187CBA1
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_3_01875898 push edi; ret 0_3_018759B1
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_3_01875898 push edi; ret 0_3_018759B1
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_3_01875758 push ebp; ret 0_3_01875759
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_3_01875758 push ebp; ret 0_3_01875759
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_3_0184C9A3 pushad ; iretd 0_3_0184CEA9
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_3_01858440 push eax; retf 0_3_01858441
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_3_01858440 push eax; retf 0_3_01858441
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_3_01875C80 push ecx; ret 0_3_01875C81
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_3_01875C80 push ecx; ret 0_3_01875C81
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_3_0187CB92 push eax; retf 0_3_0187CBA1
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_3_0187CB92 push eax; retf 0_3_0187CBA1
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_3_01875898 push edi; ret 0_3_018759B1
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_3_01875898 push edi; ret 0_3_018759B1
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_3_01875758 push ebp; ret 0_3_01875759
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_3_01875758 push ebp; ret 0_3_01875759
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_3_0184C9A3 pushad ; iretd 0_3_0184CEA9
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_3_01858440 push eax; retf 0_3_01858441
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_3_01858440 push eax; retf 0_3_01858441
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00FE60EB push ecx; mov dword ptr [esp], 3F800000h 0_2_00FE62BE
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_010D771E push ecx; ret 0_2_010D7731
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00F55CB0 push ecx; mov dword ptr [esp], ecx 0_2_00F55CB1
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_01023D60 push ecx; mov dword ptr [esp], 3F800000h 0_2_01023E96
Drops PE files
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe File created: C:\Users\user\AppData\Local\Temp\shiCF5B.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID50B.tmp Jump to dropped file
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe File created: C:\Users\user\AppData\Local\Temp\MSID027.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID2B6.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID48C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID4CB.tmp Jump to dropped file
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe File created: C:\Users\user\AppData\Roaming\Customers suppliers spot report\AiEdit 1.0.0\install\decoder.dll Jump to dropped file
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe File created: C:\Users\user\AppData\Local\Temp\MSID0A5.tmp Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID50B.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID2B6.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID48C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID4CB.tmp Jump to dropped file
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiCF5B.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSID50B.tmp Jump to dropped file
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID027.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSID2B6.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSID48C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSID4CB.tmp Jump to dropped file
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Customers suppliers spot report\AiEdit 1.0.0\install\decoder.dll Jump to dropped file
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID0A5.tmp Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe File Volume queried: C:\Users\user\AppData\Roaming FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe File Volume queried: C:\Users\user\AppData\Roaming\Customers suppliers spot report\AiEdit 1.0.0\install FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe File Volume queried: C:\Users\user\AppData\Roaming\Customers suppliers spot report\AiEdit 1.0.0\install\ADBBE7B FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_01062380 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 0_2_01062380
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00F5AB80 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,PathIsUNCW, 0_2_00F5AB80
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_01044DA0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW, 0_2_01044DA0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_01045370 FindFirstFileW,GetLastError,FindClose, 0_2_01045370
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_01063220 FindFirstFileW,FindClose, 0_2_01063220
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_01028230 FindFirstFileW,FindNextFileW,FindClose, 0_2_01028230
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_0106C530 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_0106C530
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_0106C930 FindFirstFileW,FindClose, 0_2_0106C930
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_010808D0 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_010808D0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_01044A10 _wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,_wcsrchr, 0_2_01044A10
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_0104CF00 FindFirstFileW,FindClose,FindClose, 0_2_0104CF00
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_0105F260 FindFirstFileW,FindClose, 0_2_0105F260
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_0106F8A0 FindFirstFileW,FindClose, 0_2_0106F8A0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_0106B500 _wcschr,_wcsrchr,_wcsrchr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection, 0_2_0106B500
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_010D411D VirtualQuery,GetSystemInfo, 0_2_010D411D
Source: Installer.msi.0.dr Binary or memory string: RegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: L7eGkXK1vw.exe Binary or memory string: VmCI_
Source: L7eGkXK1vw.exe Binary or memory string: pVMCI
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_010D6437 IsDebuggerPresent,OutputDebugStringW, 0_2_010D6437
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_01078A50 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,FlushFileBuffers,WriteFile,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,OutputDebugStringW,WriteFile,WriteFile,FlushFileBuffers,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers, 0_2_01078A50
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_01080560 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_01080560
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_010D674C mov esi, dword ptr fs:[00000030h] 0_2_010D674C
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_010F8A0E mov eax, dword ptr fs:[00000030h] 0_2_010F8A0E
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_010ED840 mov ecx, dword ptr fs:[00000030h] 0_2_010ED840
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_010D67B8 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree, 0_2_010D67B8
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_00F72530 __set_se_translator,SetUnhandledExceptionFilter, 0_2_00F72530
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_010D71E8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_010D71E8
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_010DBEA3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_010DBEA3
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Process created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\customers suppliers spot report\aiedit 1.0.0\install\adbbe7b\installer.msi" ai_setupexepath=c:\users\user\desktop\l7egkxk1vw.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1731488680 " ai_euimsi=""
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Process created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\customers suppliers spot report\aiedit 1.0.0\install\adbbe7b\installer.msi" ai_setupexepath=c:\users\user\desktop\l7egkxk1vw.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1731488680 " ai_euimsi="" Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_0106FD20 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle, 0_2_0106FD20
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: GetLocaleInfoW,GetLocaleInfoW,MsgWaitForMultipleObjectsEx,MsgWaitForMultipleObjectsEx,PeekMessageW,TranslateMessage,DispatchMessageW,PeekMessageW,TranslateMessage,DispatchMessageW,MsgWaitForMultipleObjectsEx, 0_2_01064F10
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_010F4D50
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: EnumSystemLocalesW, 0_2_010F0DD9
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: GetLocaleInfoW, 0_2_010F4F4B
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: EnumSystemLocalesW, 0_2_010F4FF2
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_010F5163
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: EnumSystemLocalesW, 0_2_010F503D
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: EnumSystemLocalesW, 0_2_010F50D8
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: GetLocaleInfoW, 0_2_010F1356
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: GetLocaleInfoW, 0_2_010F53B6
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: GetLocaleInfoW, 0_2_010F55E5
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_010F54DF
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_010F56B4
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_0107C8F0 CreateNamedPipeW,CreateFileW, 0_2_0107C8F0
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_010D63AD GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime, 0_2_010D63AD
Source: C:\Users\user\Desktop\L7eGkXK1vw.exe Code function: 0_2_0107B490 GetUserNameW,GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW, 0_2_0107B490
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1554993 Sample: L7eGkXK1vw.exe Startdate: 13/11/2024 Architecture: WINDOWS Score: 9 5 msiexec.exe 3 7 2->5         started        8 L7eGkXK1vw.exe 38 2->8         started        file3 16 C:\Windows\Installer\MSID50B.tmp, PE32 5->16 dropped 18 C:\Windows\Installer\MSID4CB.tmp, PE32 5->18 dropped 20 C:\Windows\Installer\MSID48C.tmp, PE32 5->20 dropped 22 C:\Windows\Installer\MSID2B6.tmp, PE32 5->22 dropped 10 msiexec.exe 5->10         started        12 msiexec.exe 5->12         started        24 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 8->24 dropped 26 C:\Users\user\AppData\Local\...\shiCF5B.tmp, PE32+ 8->26 dropped 28 C:\Users\user\AppData\Local\...\MSID0A5.tmp, PE32 8->28 dropped 30 C:\Users\user\AppData\Local\...\MSID027.tmp, PE32 8->30 dropped 14 msiexec.exe 3 8->14         started        process4
No contacted IP infos