Windows Analysis Report
w4Xl662CE7.exe

Overview

General Information

Sample name: w4Xl662CE7.exe
renamed because original name is a hash value
Original sample name: 7672bd369e644ee4f4d332d779c81b863ee581a0de11bf354bc854181c7cccb7.exe
Analysis ID: 1554996
MD5: d350f9d68867c04a5834d40ed20435a6
SHA1: 7e9e9a5454d780a0df486519470c01db978ec6fc
SHA256: 7672bd369e644ee4f4d332d779c81b863ee581a0de11bf354bc854181c7cccb7
Tags: ConsolHQLTDexeuser-JAMESWT_MHT
Infos:

Detection

Score: 9
Range: 0 - 100
Whitelisted: false
Confidence: 0%

Compliance

Score: 47
Range: 0 - 100

Signatures

Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to detect virtual machines (STR)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Compliance
barindex
Uses 32bit PE files
Source: w4Xl662CE7.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: w4Xl662CE7.exe Static PE information: certificate valid
Source: w4Xl662CE7.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: wininet.pdb source: w4Xl662CE7.exe, 00000000.00000003.1469611381.0000000005B62000.00000004.00000020.00020000.00000000.sdmp, shi8B2.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbo source: w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, 6b0e6e.msi.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: w4Xl662CE7.exe, decoder.dll.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, 6b0e6e.msi.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, 6b0e6e.msi.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, 6b0e6e.msi.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, Installer.msi.0.dr
Source: Binary string: wininet.pdbUGP source: w4Xl662CE7.exe, 00000000.00000003.1469611381.0000000005B62000.00000004.00000020.00020000.00000000.sdmp, shi8B2.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: w4Xl662CE7.exe, decoder.dll.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, 6b0e6e.msi.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: w4Xl662CE7.exe
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\SysWOW64\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FA43B0 FindFirstFileW,GetLastError,FindClose, 0_2_00FA43B0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FC2380 FindFirstFileW,FindClose, 0_2_00FC2380
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00EBA950 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW, 0_2_00EBA950
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FC14D0 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 0_2_00FC14D0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FA3DE0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW, 0_2_00FA3DE0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FAC0B0 FindFirstFileW,FindClose,FindClose, 0_2_00FAC0B0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FBE3A0 FindFirstFileW,FindClose, 0_2_00FBE3A0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FCE610 FindFirstFileW,FindClose, 0_2_00FCE610
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FCB3D0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00FCB3D0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FCB7D0 FindFirstFileW,FindClose, 0_2_00FCB7D0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FA3A50 FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 0_2_00FA3A50
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FDFB20 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00FDFB20
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FCA620 _wcschr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection, 0_2_00FCA620
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.8:49713
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.8:49715
Source: w4Xl662CE7.exe String found in binary or memory: RShlwapi.dllShell32.dllmsiexec.exebinJavaHomeSoftware\JavaSoft\Java Development Kit\Software\JavaSoft\Java Runtime Environment\FlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmp.part= "GETattachmentDLD123filenamecharsetutf-16ISO-8859-1POSTutf-8Local Network ServerFTP ServerUS-ASCIIAdvancedInstallerRange: bytes=%u- equals www.yahoo.com (Yahoo)
Source: w4Xl662CE7.exe, 00000000.00000000.1415579672.00000000010B8000.00000002.00000001.01000000.00000003.sdmp, w4Xl662CE7.exe, 00000000.00000002.1533940668.00000000010B8000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: Shlwapi.dllShell32.dllmsiexec.exebinJavaHomeSoftware\JavaSoft\Java Development Kit\Software\JavaSoft\Java Runtime Environment\FlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmp.part= "GETattachmentDLD123filenamecharsetutf-16ISO-8859-1POSTutf-8Local Network ServerFTP ServerUS-ASCIIAdvancedInstallerRange: bytes=%u- equals www.yahoo.com (Yahoo)
Source: shi8B2.tmp.0.dr String found in binary or memory: http://.css
Source: shi8B2.tmp.0.dr String found in binary or memory: http://.jpg
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531507142.000000000458C000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000002.1535367452.00000000045B5000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531531919.00000000045A3000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531507142.000000000458C000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000002.1535367452.00000000045B5000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531531919.00000000045A3000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531507142.000000000458C000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000002.1535367452.00000000045B5000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531531919.00000000045A3000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: shi8B2.tmp.0.dr String found in binary or memory: http://html4/loose.dtd
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, 6b0e6e.msi.2.dr, Installer.msi.0.dr String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531507142.000000000458C000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000002.1535367452.00000000045B5000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531531919.00000000045A3000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531507142.000000000458C000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000002.1535367452.00000000045B5000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531531919.00000000045A3000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531507142.000000000458C000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000002.1535367452.00000000045B5000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531531919.00000000045A3000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: http://t2.symcb.com0
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531507142.000000000458C000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000002.1535367452.00000000045B5000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531531919.00000000045A3000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531507142.000000000458C000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000002.1535367452.00000000045B5000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531531919.00000000045A3000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531507142.000000000458C000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000002.1535367452.00000000045B5000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531531919.00000000045A3000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: http://tl.symcd.com0&
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531507142.000000000458C000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000002.1535367452.00000000045B5000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531531919.00000000045A3000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531507142.000000000458C000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000002.1535367452.00000000045B5000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531531919.00000000045A3000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: https://www.advancedinstaller.com
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531507142.000000000458C000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000002.1535367452.00000000045B5000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531531919.00000000045A3000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: https://www.thawte.com/cps0/
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531507142.000000000458C000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000002.1535367452.00000000045B5000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1531531919.00000000045A3000.00000004.00000020.00020000.00000000.sdmp, w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: https://www.thawte.com/repository0W
Contains functionality to call native functions
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FE15E0 NtdllDefWindowProc_W, 0_2_00FE15E0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00F61FB0 GetSystemDirectoryW,_wcschr,LoadLibraryExW,NtdllDefWindowProc_W, 0_2_00F61FB0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00F00010 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W, 0_2_00F00010
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00EB2250 NtdllDefWindowProc_W, 0_2_00EB2250
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00EBC4F0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection, 0_2_00EBC4F0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00EB8720 NtdllDefWindowProc_W, 0_2_00EB8720
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00EB8890 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W, 0_2_00EB8890
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00EAEBE0 GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W, 0_2_00EAEBE0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00F00BAA ShowWindow,ShowWindow,GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW, 0_2_00F00BAA
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00F00CE3 GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW, 0_2_00F00CE3
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00F00C22 GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW, 0_2_00F00C22
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00EF6EE0 NtdllDefWindowProc_W, 0_2_00EF6EE0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00EAF190 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,NtdllDefWindowProc_W,SysFreeString, 0_2_00EAF190
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00ECD320 NtdllDefWindowProc_W, 0_2_00ECD320
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00EC15F0 NtdllDefWindowProc_W, 0_2_00EC15F0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00EB1670 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow, 0_2_00EB1670
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00EAF7C0 NtdllDefWindowProc_W, 0_2_00EAF7C0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00EB1C90 NtdllDefWindowProc_W, 0_2_00EB1C90
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00F47F20 NtdllDefWindowProc_W, 0_2_00F47F20
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\6b0e6e.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI115C.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI11CB.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI122A.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI1259.tmp Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI115C.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00EBA950 0_2_00EBA950
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FDB350 0_2_00FDB350
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FB7D70 0_2_00FB7D70
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00EC6070 0_2_00EC6070
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00EC41B0 0_2_00EC41B0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00EBE290 0_2_00EBE290
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_0103E2BE 0_2_0103E2BE
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_0103E64C 0_2_0103E64C
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_01058B95 0_2_01058B95
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00F82A50 0_2_00F82A50
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00EB8CD0 0_2_00EB8CD0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00EA2F40 0_2_00EA2F40
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00ED52F0 0_2_00ED52F0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_0101D550 0_2_0101D550
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00EC35A0 0_2_00EC35A0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00EC7630 0_2_00EC7630
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00F7B7A0 0_2_00F7B7A0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00EFFA40 0_2_00EFFA40
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_0104DD6A 0_2_0104DD6A
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00F13FC0 0_2_00F13FC0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: String function: 00F9E770 appears 31 times
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: String function: 00EA8800 appears 223 times
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: String function: 00ED3810 appears 90 times
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: String function: 00EA9390 appears 41 times
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: String function: 00EA7070 appears 53 times
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: String function: 00EA99C0 appears 69 times
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: String function: 00EA6FF0 appears 46 times
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: String function: 00F9E6D0 appears 60 times
Sample file is different than original file name gathered from version info
Source: w4Xl662CE7.exe, 00000000.00000000.1415673595.0000000001166000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameInstaller.exe4 vs w4Xl662CE7.exe
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelzmaextractor.dllF vs w4Xl662CE7.exe
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAICustAct.dllF vs w4Xl662CE7.exe
Source: w4Xl662CE7.exe, 00000000.00000003.1418093781.00000000016AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDecoder.dllF vs w4Xl662CE7.exe
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs w4Xl662CE7.exe
Source: w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePrereq.dllF vs w4Xl662CE7.exe
Source: w4Xl662CE7.exe, 00000000.00000003.1469611381.0000000005B62000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewininet.dllD vs w4Xl662CE7.exe
Source: w4Xl662CE7.exe Binary or memory string: OriginalFileNameInstaller.exe4 vs w4Xl662CE7.exe
Source: w4Xl662CE7.exe Binary or memory string: OriginalFilenameDecoder.dllF vs w4Xl662CE7.exe
Uses 32bit PE files
Source: w4Xl662CE7.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: shi8B2.tmp.0.dr Binary string: \Device\NameResTrk\RecordNrtCloneOpenPacket
Source: classification engine Classification label: clean9.winEXE@8/13@0/0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FA2230 FormatMessageW,GetLastError, 0_2_00FA2230
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FCC990 GetDiskFreeSpaceExW, 0_2_00FCC990
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FE6D50 CoCreateInstance, 0_2_00FE6D50
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00F3AB40 FindResourceW,LoadResource,LockResource,SizeofResource, 0_2_00F3AB40
Source: C:\Users\user\Desktop\w4Xl662CE7.exe File created: C:\Users\user\AppData\Roaming\ConsolHQ LTD Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe File created: C:\Users\user\AppData\Local\Temp\shi8B2.tmp Jump to behavior
Source: w4Xl662CE7.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\w4Xl662CE7.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe File read: C:\Users\user\Desktop\w4Xl662CE7.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\w4Xl662CE7.exe "C:\Users\user\Desktop\w4Xl662CE7.exe"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F4295AFC544D7720538B75B4E254EF96 C
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\52455D3\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\w4Xl662CE7.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488867 " AI_EUIMSI=""
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding FCF7C67D7B0D5412E5FD6BA69DD16D34
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\52455D3\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\w4Xl662CE7.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488867 " AI_EUIMSI="" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F4295AFC544D7720538B75B4E254EF96 C Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding FCF7C67D7B0D5412E5FD6BA69DD16D34 Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: davhlpr.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: lpk.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: w4Xl662CE7.exe Static PE information: certificate valid
Source: w4Xl662CE7.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: w4Xl662CE7.exe Static file information: File size 49206760 > 1048576
Source: w4Xl662CE7.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x216e00
Source: w4Xl662CE7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: w4Xl662CE7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: w4Xl662CE7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: w4Xl662CE7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: w4Xl662CE7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: w4Xl662CE7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: w4Xl662CE7.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: w4Xl662CE7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wininet.pdb source: w4Xl662CE7.exe, 00000000.00000003.1469611381.0000000005B62000.00000004.00000020.00020000.00000000.sdmp, shi8B2.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbo source: w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, 6b0e6e.msi.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: w4Xl662CE7.exe, decoder.dll.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: w4Xl662CE7.exe, 00000000.00000003.1452806476.00000000047D6000.00000004.00001000.00020000.00000000.sdmp, 6b0e6e.msi.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, 6b0e6e.msi.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, 6b0e6e.msi.2.dr, MSI1259.tmp.2.dr, MSIAD7.tmp.0.dr, Installer.msi.0.dr
Source: Binary string: wininet.pdbUGP source: w4Xl662CE7.exe, 00000000.00000003.1469611381.0000000005B62000.00000004.00000020.00020000.00000000.sdmp, shi8B2.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, MSI11CB.tmp.2.dr, MSI93F.tmp.0.dr, 6b0e6e.msi.2.dr, MSI122A.tmp.2.dr, MSI115C.tmp.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: w4Xl662CE7.exe, decoder.dll.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: w4Xl662CE7.exe, 00000000.00000003.1452806476.0000000004680000.00000004.00001000.00020000.00000000.sdmp, 6b0e6e.msi.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: w4Xl662CE7.exe
Source: w4Xl662CE7.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: w4Xl662CE7.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: w4Xl662CE7.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: w4Xl662CE7.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: w4Xl662CE7.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains a suspicious time stamp
Source: shi8B2.tmp.0.dr Static PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FA2350 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_00FA2350
PE file contains sections with non-standard names
Source: shi8B2.tmp.0.dr Static PE information: section name: .wpp_sf
Source: shi8B2.tmp.0.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_016ABF70 push ecx; ret 0_3_016ABF71
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_016ABF70 push ecx; ret 0_3_016ABF71
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_016ABF70 push ecx; ret 0_3_016ABF71
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_016ABF70 push ecx; ret 0_3_016ABF71
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_016ABF70 push ecx; ret 0_3_016ABF71
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_016ABF70 push ecx; ret 0_3_016ABF71
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_016A5C4F push es; iretd 0_3_016A5C5A
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_016A5C4F push es; iretd 0_3_016A5C5A
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_016A5C4F push es; iretd 0_3_016A5C5A
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_016A5C4F push es; iretd 0_3_016A5C5A
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_016A5C4F push es; iretd 0_3_016A5C5A
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_016A5C4F push es; iretd 0_3_016A5C5A
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_016A5C4D push es; retf 0_3_016A5C4E
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_016A5C4D push es; retf 0_3_016A5C4E
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_016A5C4D push es; retf 0_3_016A5C4E
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_016A5C4D push es; retf 0_3_016A5C4E
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_016A5C4D push es; retf 0_3_016A5C4E
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_016A5C4D push es; retf 0_3_016A5C4E
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_016AA741 push FFFFFFBFh; iretd 0_3_016AA743
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_016AA741 push FFFFFFBFh; iretd 0_3_016AA743
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_016AA741 push FFFFFFBFh; iretd 0_3_016AA743
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_016AA741 push FFFFFFBFh; iretd 0_3_016AA743
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_016AA741 push FFFFFFBFh; iretd 0_3_016AA743
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_016AA741 push FFFFFFBFh; iretd 0_3_016AA743
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_016AD633 push es; ret 0_3_016AD636
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_016AD633 push es; ret 0_3_016AD636
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_016AD633 push es; ret 0_3_016AD636
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_016AD633 push es; ret 0_3_016AD636
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_016AD633 push es; ret 0_3_016AD636
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_016AD633 push es; ret 0_3_016AD636
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_016A5819 push es; ret 0_3_016A5C3A
Drops PE files
Source: C:\Users\user\Desktop\w4Xl662CE7.exe File created: C:\Users\user\AppData\Local\Temp\shi8B2.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI122A.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI1259.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI11CB.tmp Jump to dropped file
Source: C:\Users\user\Desktop\w4Xl662CE7.exe File created: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\decoder.dll Jump to dropped file
Source: C:\Users\user\Desktop\w4Xl662CE7.exe File created: C:\Users\user\AppData\Local\Temp\MSI93F.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI115C.tmp Jump to dropped file
Source: C:\Users\user\Desktop\w4Xl662CE7.exe File created: C:\Users\user\AppData\Local\Temp\MSIAD7.tmp Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI122A.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI1259.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI11CB.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI115C.tmp Jump to dropped file
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality to detect virtual machines (STR)
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_3_0168C160 str word ptr [eax+40764612h] 0_3_0168C160
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi8B2.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI122A.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI1259.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI11CB.tmp Jump to dropped file
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\decoder.dll Jump to dropped file
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI93F.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI115C.tmp Jump to dropped file
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIAD7.tmp Jump to dropped file
Found evaded block containing many API calls
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Evaded block: after key decision
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\w4Xl662CE7.exe File Volume queried: C:\Users\user\AppData\Roaming FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe File Volume queried: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe File Volume queried: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\52455D3 FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FA43B0 FindFirstFileW,GetLastError,FindClose, 0_2_00FA43B0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FC2380 FindFirstFileW,FindClose, 0_2_00FC2380
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00EBA950 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW, 0_2_00EBA950
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FC14D0 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 0_2_00FC14D0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FA3DE0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW, 0_2_00FA3DE0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FAC0B0 FindFirstFileW,FindClose,FindClose, 0_2_00FAC0B0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FBE3A0 FindFirstFileW,FindClose, 0_2_00FBE3A0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FCE610 FindFirstFileW,FindClose, 0_2_00FCE610
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FCB3D0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00FCB3D0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FCB7D0 FindFirstFileW,FindClose, 0_2_00FCB7D0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FA3A50 FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 0_2_00FA3A50
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FDFB20 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00FDFB20
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FCA620 _wcschr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection, 0_2_00FCA620
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_0103365A VirtualQuery,GetSystemInfo, 0_2_0103365A
Source: w4Xl662CE7.exe Binary or memory string: &VmCi
Source: Installer.msi.0.dr Binary or memory string: RegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: w4Xl662CE7.exe, 00000000.00000003.1532941791.000000000166B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\rod_VMware_SATA_CD00#4&22
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_0103AD13 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0103AD13
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FD77C0 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,FlushFileBuffers,WriteFile,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,OutputDebugStringW,WriteFile,WriteFile,FlushFileBuffers,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers, 0_2_00FD77C0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FA2350 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_00FA2350
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_0104C66D mov ecx, dword ptr fs:[00000030h] 0_2_0104C66D
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_0105783E mov eax, dword ptr fs:[00000030h] 0_2_0105783E
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_01035CA1 mov esi, dword ptr fs:[00000030h] 0_2_01035CA1
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_01035D0D GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree, 0_2_01035D0D
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00ED21E0 __set_se_translator,SetUnhandledExceptionFilter, 0_2_00ED21E0
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_01036738 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_01036738
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_0103AD13 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0103AD13
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Process created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\consolhq ltd\consolehq 1.12.3\install\52455d3\installer.msi" ai_setupexepath=c:\users\user\desktop\w4xl662ce7.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1731488867 " ai_euimsi=""
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Process created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\consolhq ltd\consolehq 1.12.3\install\52455d3\installer.msi" ai_setupexepath=c:\users\user\desktop\w4xl662ce7.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1731488867 " ai_euimsi="" Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FCEAB0 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle, 0_2_00FCEAB0
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: GetLocaleInfoW,GetLocaleInfoW,MsgWaitForMultipleObjectsEx,MsgWaitForMultipleObjectsEx,PeekMessageW,TranslateMessage,DispatchMessageW,PeekMessageW,TranslateMessage,DispatchMessageW,MsgWaitForMultipleObjectsEx, 0_2_00FC4050
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: GetLocaleInfoW, 0_2_01050186
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: GetLocaleInfoW, 0_2_010541E6
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_0105430F
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: GetLocaleInfoW, 0_2_01054415
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_010544E4
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_01053B80
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: GetLocaleInfoW, 0_2_01053D7B
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: EnumSystemLocalesW, 0_2_0104FC09
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: EnumSystemLocalesW, 0_2_01053F08
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_01053F93
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: EnumSystemLocalesW, 0_2_01053E22
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: EnumSystemLocalesW, 0_2_01053E6D
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FDBB20 CreateNamedPipeW,CreateFileW, 0_2_00FDBB20
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_010372F4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_010372F4
Source: C:\Users\user\Desktop\w4Xl662CE7.exe Code function: 0_2_00FDA240 GetUserNameW,GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW, 0_2_00FDA240
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1554996 Sample: w4Xl662CE7.exe Startdate: 13/11/2024 Architecture: WINDOWS Score: 9 5 msiexec.exe 3 9 2->5         started        8 w4Xl662CE7.exe 40 2->8         started        file3 16 C:\Windows\Installer\MSI1259.tmp, PE32 5->16 dropped 18 C:\Windows\Installer\MSI122A.tmp, PE32 5->18 dropped 20 C:\Windows\Installer\MSI11CB.tmp, PE32 5->20 dropped 22 C:\Windows\Installer\MSI115C.tmp, PE32 5->22 dropped 10 msiexec.exe 5->10         started        12 msiexec.exe 5->12         started        24 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 8->24 dropped 26 C:\Users\user\AppData\Local\Temp\shi8B2.tmp, PE32+ 8->26 dropped 28 C:\Users\user\AppData\Local\Temp\MSIAD7.tmp, PE32 8->28 dropped 30 C:\Users\user\AppData\Local\Temp\MSI93F.tmp, PE32 8->30 dropped 14 msiexec.exe 5 8->14         started        process4
No contacted IP infos