Windows Analysis Report
RIv8fq9APB.exe

Overview

General Information

Sample name: RIv8fq9APB.exe
renamed because original name is a hash value
Original sample name: 895dccfa0aa2a7dfc4be56e0cf045dcbaf40a7ef23849ad30a3af38793fd214c.exe
Analysis ID: 1554995
MD5: 607a6e4ea1d6aa1393f54ad0c3b51dd7
SHA1: d3eefc0bd98d2d176483a80fa6f9e984d1e66e9a
SHA256: 895dccfa0aa2a7dfc4be56e0cf045dcbaf40a7ef23849ad30a3af38793fd214c
Tags: ConsolHQLTDexeuser-JAMESWT_MHT
Infos:

Detection

Score: 13
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Signatures

Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Uses 32bit PE files
Source: RIv8fq9APB.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: RIv8fq9APB.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: wininet.pdb source: RIv8fq9APB.exe, 00000000.00000003.1280440752.0000000005744000.00000004.00000020.00020000.00000000.sdmp, shi44B7.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbo source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, Installer.msi.0.dr, 5646f9.msi.7.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, Installer.msi.0.dr, 5646f9.msi.7.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: RIv8fq9APB.exe, decoder.dll.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, MSI48C1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, MSI48C1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.dr
Source: Binary string: wininet.pdbUGP source: RIv8fq9APB.exe, 00000000.00000003.1280440752.0000000005744000.00000004.00000020.00020000.00000000.sdmp, shi44B7.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, 5646f9.msi.7.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, 5646f9.msi.7.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: RIv8fq9APB.exe, decoder.dll.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, Installer.msi.0.dr, 5646f9.msi.7.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: RIv8fq9APB.exe
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\SysWOW64\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_003243B0 FindFirstFileW,GetLastError,FindClose, 0_2_003243B0
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_00342380 FindFirstFileW,FindClose, 0_2_00342380
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_0023A950 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW, 0_2_0023A950
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_003414D0 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 0_2_003414D0
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_00323DE0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW, 0_2_00323DE0
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_0032C0B0 FindFirstFileW,FindClose,FindClose, 0_2_0032C0B0
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_0033E3A0 FindFirstFileW,FindClose, 0_2_0033E3A0
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_0034E610 FindFirstFileW,FindClose, 0_2_0034E610
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_0034B3D0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_0034B3D0
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_0034B7D0 FindFirstFileW,FindClose, 0_2_0034B7D0
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_00323A50 FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 0_2_00323A50
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_0035FB20 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_0035FB20
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_0034A620 _wcschr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection, 0_2_0034A620
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.7:49724
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.7:49947
Source: RIv8fq9APB.exe, 00000000.00000002.1370430980.0000000000438000.00000002.00000001.01000000.00000003.sdmp, RIv8fq9APB.exe, 00000000.00000000.1234564064.0000000000438000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: 4Shlwapi.dllShell32.dllmsiexec.exebinJavaHomeSoftware\JavaSoft\Java Development Kit\Software\JavaSoft\Java Runtime Environment\FlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmp.part= "GETattachmentDLD123filenamecharsetutf-16ISO-8859-1POSTutf-8Local Network ServerFTP ServerUS-ASCIIAdvancedInstallerRange: bytes=%u- equals www.yahoo.com (Yahoo)
Source: RIv8fq9APB.exe String found in binary or memory: RShlwapi.dllShell32.dllmsiexec.exebinJavaHomeSoftware\JavaSoft\Java Development Kit\Software\JavaSoft\Java Runtime Environment\FlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmp.part= "GETattachmentDLD123filenamecharsetutf-16ISO-8859-1POSTutf-8Local Network ServerFTP ServerUS-ASCIIAdvancedInstallerRange: bytes=%u- equals www.yahoo.com (Yahoo)
Source: shi44B7.tmp.0.dr String found in binary or memory: http://.css
Source: shi44B7.tmp.0.dr String found in binary or memory: http://.jpg
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1366470924.000000000417C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1366470924.000000000417C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1366470924.000000000417C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: shi44B7.tmp.0.dr String found in binary or memory: http://html4/loose.dtd
Source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, Installer.msi.0.dr, 5646f9.msi.7.dr String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1366470924.000000000417C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1366470924.000000000417C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.dr String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1366470924.000000000417C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.dr String found in binary or memory: http://t2.symcb.com0
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1366470924.000000000417C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.dr String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1366470924.000000000417C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.dr String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1366470924.000000000417C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.dr String found in binary or memory: http://tl.symcd.com0&
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1366470924.000000000417C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1366470924.000000000417C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.dr String found in binary or memory: https://www.advancedinstaller.com
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1366470924.000000000417C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.dr String found in binary or memory: https://www.thawte.com/cps0/
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1369141146.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1366470924.000000000417C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000002.1372617670.000000000416C000.00000004.00000020.00020000.00000000.sdmp, RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48C1.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.dr String found in binary or memory: https://www.thawte.com/repository0W
Contains functionality to call native functions
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_003615E0 NtdllDefWindowProc_W, 0_2_003615E0
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_002E1FB0 GetSystemDirectoryW,_wcschr,LoadLibraryExW,NtdllDefWindowProc_W, 0_2_002E1FB0
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_00280010 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W, 0_2_00280010
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_00232250 NtdllDefWindowProc_W, 0_2_00232250
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_0023C4F0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection, 0_2_0023C4F0
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_00238720 NtdllDefWindowProc_W, 0_2_00238720
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_00238890 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W, 0_2_00238890
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_00280BAA ShowWindow,ShowWindow,GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW, 0_2_00280BAA
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_0022EBE0 GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W, 0_2_0022EBE0
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_00280C22 GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW, 0_2_00280C22
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_00280CE3 GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW, 0_2_00280CE3
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_00276EE0 NtdllDefWindowProc_W, 0_2_00276EE0
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_0022F190 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,NtdllDefWindowProc_W,SysFreeString, 0_2_0022F190
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_0024D320 NtdllDefWindowProc_W, 0_2_0024D320
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_002415F0 NtdllDefWindowProc_W, 0_2_002415F0
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_00231670 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow, 0_2_00231670
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_0022F7C0 NtdllDefWindowProc_W, 0_2_0022F7C0
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_00231C90 NtdllDefWindowProc_W, 0_2_00231C90
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_002C7F20 NtdllDefWindowProc_W, 0_2_002C7F20
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\5646f9.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI4812.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI4871.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI48A1.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI48C1.tmp Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI4812.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_0023A950 0_2_0023A950
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_0035B350 0_2_0035B350
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_00337D70 0_2_00337D70
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_00246070 0_2_00246070
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_002441B0 0_2_002441B0
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_003BE2BE 0_2_003BE2BE
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_0023E290 0_2_0023E290
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_003BE64C 0_2_003BE64C
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_00302A50 0_2_00302A50
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_003D8B95 0_2_003D8B95
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_00238CD0 0_2_00238CD0
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_00222F40 0_2_00222F40
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_002552F0 0_2_002552F0
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_0039D550 0_2_0039D550
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_002435A0 0_2_002435A0
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_003D3631 0_2_003D3631
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_00247630 0_2_00247630
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_002FB7A0 0_2_002FB7A0
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_0027FA40 0_2_0027FA40
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_003CDD6A 0_2_003CDD6A
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_00293FC0 0_2_00293FC0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: String function: 00227070 appears 53 times
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: String function: 0031E6D0 appears 60 times
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: String function: 00226FF0 appears 46 times
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: String function: 002299C0 appears 69 times
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: String function: 00229390 appears 41 times
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: String function: 0031E770 appears 31 times
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: String function: 00253810 appears 90 times
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: String function: 00228800 appears 223 times
Sample file is different than original file name gathered from version info
Source: RIv8fq9APB.exe, 00000000.00000003.1366518124.0000000004131000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAICustAct.dllF vs RIv8fq9APB.exe
Source: RIv8fq9APB.exe, 00000000.00000003.1367044116.0000000004139000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAICustAct.dllF vs RIv8fq9APB.exe
Source: RIv8fq9APB.exe, 00000000.00000003.1280440752.0000000005744000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewininet.dllD vs RIv8fq9APB.exe
Source: RIv8fq9APB.exe, 00000000.00000002.1370609821.00000000004E6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameInstaller.exe@ vs RIv8fq9APB.exe
Source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs RIv8fq9APB.exe
Source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePrereq.dllF vs RIv8fq9APB.exe
Source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelzmaextractor.dllF vs RIv8fq9APB.exe
Source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAICustAct.dllF vs RIv8fq9APB.exe
Source: RIv8fq9APB.exe, 00000000.00000003.1367090329.0000000004149000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAICustAct.dllF vs RIv8fq9APB.exe
Source: RIv8fq9APB.exe, 00000000.00000003.1236810027.0000000001124000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDecoder.dllF vs RIv8fq9APB.exe
Source: RIv8fq9APB.exe Binary or memory string: OriginalFileNameInstaller.exe@ vs RIv8fq9APB.exe
Source: RIv8fq9APB.exe Binary or memory string: OriginalFilenameDecoder.dllF vs RIv8fq9APB.exe
Uses 32bit PE files
Source: RIv8fq9APB.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: shi44B7.tmp.0.dr Binary string: \Device\NameResTrk\RecordNrtCloneOpenPacket
Source: classification engine Classification label: clean13.winEXE@8/13@0/0
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_00322230 FormatMessageW,GetLastError, 0_2_00322230
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_0034C990 GetDiskFreeSpaceExW, 0_2_0034C990
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_00366D50 CoCreateInstance, 0_2_00366D50
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_002BAB40 FindResourceW,LoadResource,LockResource,SizeofResource, 0_2_002BAB40
Source: C:\Users\user\Desktop\RIv8fq9APB.exe File created: C:\Users\user\AppData\Roaming\ConsolHQ LTD Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe File created: C:\Users\user~1\AppData\Local\Temp\shi44B7.tmp Jump to behavior
Source: RIv8fq9APB.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\RIv8fq9APB.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe File read: C:\Users\user\Desktop\RIv8fq9APB.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\RIv8fq9APB.exe "C:\Users\user\Desktop\RIv8fq9APB.exe"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 514532DC5754F2DEA5310FF5234A96F5 C
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ Utils 1.14.1\install\0BEAF65\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\RIv8fq9APB.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488877 " AI_EUIMSI=""
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 83139F07849E8D7972AAA3545112F408
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ Utils 1.14.1\install\0BEAF65\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\RIv8fq9APB.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488877 " AI_EUIMSI="" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 514532DC5754F2DEA5310FF5234A96F5 C Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 83139F07849E8D7972AAA3545112F408 Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: davhlpr.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: lpk.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: RIv8fq9APB.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: RIv8fq9APB.exe Static file information: File size 49202888 > 1048576
Source: RIv8fq9APB.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x216e00
Source: RIv8fq9APB.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: RIv8fq9APB.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: RIv8fq9APB.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: RIv8fq9APB.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: RIv8fq9APB.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: RIv8fq9APB.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: RIv8fq9APB.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: RIv8fq9APB.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wininet.pdb source: RIv8fq9APB.exe, 00000000.00000003.1280440752.0000000005744000.00000004.00000020.00020000.00000000.sdmp, shi44B7.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbo source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, Installer.msi.0.dr, 5646f9.msi.7.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004386000.00000004.00001000.00020000.00000000.sdmp, Installer.msi.0.dr, 5646f9.msi.7.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: RIv8fq9APB.exe, decoder.dll.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, MSI48C1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, MSI48C1.tmp.7.dr, Installer.msi.0.dr, MSI45D2.tmp.0.dr, 5646f9.msi.7.dr
Source: Binary string: wininet.pdbUGP source: RIv8fq9APB.exe, 00000000.00000003.1280440752.0000000005744000.00000004.00000020.00020000.00000000.sdmp, shi44B7.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, 5646f9.msi.7.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, MSI4545.tmp.0.dr, MSI4812.tmp.7.dr, MSI4871.tmp.7.dr, MSI48A1.tmp.7.dr, Installer.msi.0.dr, 5646f9.msi.7.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: RIv8fq9APB.exe, decoder.dll.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: RIv8fq9APB.exe, 00000000.00000003.1273242213.0000000004230000.00000004.00001000.00020000.00000000.sdmp, Installer.msi.0.dr, 5646f9.msi.7.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: RIv8fq9APB.exe
Source: RIv8fq9APB.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: RIv8fq9APB.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: RIv8fq9APB.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: RIv8fq9APB.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: RIv8fq9APB.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains a suspicious time stamp
Source: shi44B7.tmp.0.dr Static PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_00322350 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_00322350
PE file contains sections with non-standard names
Source: shi44B7.tmp.0.dr Static PE information: section name: .wpp_sf
Source: shi44B7.tmp.0.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_3_010EA61D push edi; ret 0_3_010EA629
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_3_010EA61D push edi; ret 0_3_010EA629
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_3_010EA5A0 push ecx; ret 0_3_010EA5B1
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_3_010EA5A0 push ecx; ret 0_3_010EA5B1
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_3_010ECCD4 push esp; ret 0_3_010ECCF5
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_3_010ECCD4 push esp; ret 0_3_010ECCF5
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_3_010E9FE7 push ebx; ret 0_3_010EA011
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_3_010E9FE7 push ebx; ret 0_3_010EA011
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_3_010EA2E0 push ebp; ret 0_3_010EA2E1
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_3_010EA2E0 push ebp; ret 0_3_010EA2E1
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_3_010EA61D push edi; ret 0_3_010EA629
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_3_010EA61D push edi; ret 0_3_010EA629
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_3_010EA5A0 push ecx; ret 0_3_010EA5B1
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_3_010EA5A0 push ecx; ret 0_3_010EA5B1
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_3_010ECCD4 push esp; ret 0_3_010ECCF5
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_3_010ECCD4 push esp; ret 0_3_010ECCF5
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_3_010E9FE7 push ebx; ret 0_3_010EA011
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_3_010E9FE7 push ebx; ret 0_3_010EA011
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_3_010EA2E0 push ebp; ret 0_3_010EA2E1
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_3_010EA2E0 push ebp; ret 0_3_010EA2E1
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_0028A486 push esi; ret 0_2_0028A488
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_003B6C6E push ecx; ret 0_2_003B6C81
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_00303330 push ecx; mov dword ptr [esp], 3F800000h 0_2_00303478
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_00235BE0 push ecx; mov dword ptr [esp], ecx 0_2_00235BE1
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI4871.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI48A1.tmp Jump to dropped file
Source: C:\Users\user\Desktop\RIv8fq9APB.exe File created: C:\Users\user\AppData\Local\Temp\MSI45D2.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI4812.tmp Jump to dropped file
Source: C:\Users\user\Desktop\RIv8fq9APB.exe File created: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ Utils 1.14.1\install\decoder.dll Jump to dropped file
Source: C:\Users\user\Desktop\RIv8fq9APB.exe File created: C:\Users\user\AppData\Local\Temp\MSI4545.tmp Jump to dropped file
Source: C:\Users\user\Desktop\RIv8fq9APB.exe File created: C:\Users\user\AppData\Local\Temp\shi44B7.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI48C1.tmp Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI4871.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI48A1.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI4812.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI48C1.tmp Jump to dropped file
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI4871.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI48A1.tmp Jump to dropped file
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI45D2.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI4812.tmp Jump to dropped file
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ Utils 1.14.1\install\decoder.dll Jump to dropped file
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4545.tmp Jump to dropped file
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi44B7.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI48C1.tmp Jump to dropped file
Found evaded block containing many API calls
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Evaded block: after key decision
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\RIv8fq9APB.exe API coverage: 9.8 %
Source: C:\Users\user\Desktop\RIv8fq9APB.exe File Volume queried: C:\Users\user\AppData\Roaming FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe File Volume queried: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ Utils 1.14.1\install FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe File Volume queried: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ Utils 1.14.1\install\0BEAF65 FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_003243B0 FindFirstFileW,GetLastError,FindClose, 0_2_003243B0
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_00342380 FindFirstFileW,FindClose, 0_2_00342380
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_0023A950 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW, 0_2_0023A950
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_003414D0 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 0_2_003414D0
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_00323DE0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW, 0_2_00323DE0
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_0032C0B0 FindFirstFileW,FindClose,FindClose, 0_2_0032C0B0
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_0033E3A0 FindFirstFileW,FindClose, 0_2_0033E3A0
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_0034E610 FindFirstFileW,FindClose, 0_2_0034E610
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_0034B3D0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_0034B3D0
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_0034B7D0 FindFirstFileW,FindClose, 0_2_0034B7D0
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_00323A50 FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 0_2_00323A50
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_0035FB20 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_0035FB20
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_0034A620 _wcschr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection, 0_2_0034A620
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_003B365A VirtualQuery,GetSystemInfo, 0_2_003B365A
Source: 5646f9.msi.7.dr Binary or memory string: RegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_003BAD13 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_003BAD13
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_003577C0 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,FlushFileBuffers,WriteFile,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,OutputDebugStringW,WriteFile,WriteFile,FlushFileBuffers,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers, 0_2_003577C0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_00322350 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_00322350
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_003CC66D mov ecx, dword ptr fs:[00000030h] 0_2_003CC66D
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_003D783E mov eax, dword ptr fs:[00000030h] 0_2_003D783E
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_003B5CA1 mov esi, dword ptr fs:[00000030h] 0_2_003B5CA1
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_003B5D0D GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree, 0_2_003B5D0D
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_002521E0 __set_se_translator,SetUnhandledExceptionFilter, 0_2_002521E0
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_003B6738 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_003B6738
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_003BAD13 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_003BAD13
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Process created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\consolhq ltd\consolehq utils 1.14.1\install\0beaf65\installer.msi" ai_setupexepath=c:\users\user\desktop\riv8fq9apb.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1731488877 " ai_euimsi=""
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Process created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\consolhq ltd\consolehq utils 1.14.1\install\0beaf65\installer.msi" ai_setupexepath=c:\users\user\desktop\riv8fq9apb.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1731488877 " ai_euimsi="" Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_0034EAB0 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle, 0_2_0034EAB0
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: GetLocaleInfoW,GetLocaleInfoW,MsgWaitForMultipleObjectsEx,MsgWaitForMultipleObjectsEx,PeekMessageW,TranslateMessage,DispatchMessageW,PeekMessageW,TranslateMessage,DispatchMessageW,MsgWaitForMultipleObjectsEx, 0_2_00344050
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: GetLocaleInfoW, 0_2_003D0186
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: GetLocaleInfoW, 0_2_003D41E6
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_003D430F
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: GetLocaleInfoW, 0_2_003D4415
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_003D44E4
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_003D3B80
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: EnumSystemLocalesW, 0_2_003CFC09
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: GetLocaleInfoW, 0_2_003D3D7B
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: EnumSystemLocalesW, 0_2_003D3E22
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: EnumSystemLocalesW, 0_2_003D3E6D
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: EnumSystemLocalesW, 0_2_003D3F08
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_003D3F93
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_0035BB20 CreateNamedPipeW,CreateFileW, 0_2_0035BB20
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_003B72F4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_003B72F4
Source: C:\Users\user\Desktop\RIv8fq9APB.exe Code function: 0_2_0035A240 GetUserNameW,GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW, 0_2_0035A240
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1554995 Sample: RIv8fq9APB.exe Startdate: 13/11/2024 Architecture: WINDOWS Score: 13 5 msiexec.exe 3 9 2->5         started        8 RIv8fq9APB.exe 40 2->8         started        file3 16 C:\Windows\Installer\MSI48C1.tmp, PE32 5->16 dropped 18 C:\Windows\Installer\MSI48A1.tmp, PE32 5->18 dropped 20 C:\Windows\Installer\MSI4871.tmp, PE32 5->20 dropped 22 C:\Windows\Installer\MSI4812.tmp, PE32 5->22 dropped 10 msiexec.exe 5->10         started        12 msiexec.exe 5->12         started        24 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 8->24 dropped 26 C:\Users\user\AppData\Local\...\shi44B7.tmp, PE32+ 8->26 dropped 28 C:\Users\user\AppData\Local\...\MSI45D2.tmp, PE32 8->28 dropped 30 C:\Users\user\AppData\Local\...\MSI4545.tmp, PE32 8->30 dropped 14 msiexec.exe 5 8->14         started        process4
No contacted IP infos