Windows Analysis Report
zc4BfiuQaY.exe

Overview

General Information

Sample name: zc4BfiuQaY.exe
renamed because original name is a hash value
Original sample name: d9f25cc394bf90900187582eec063df5b50cf1e212354148d6ee2e0a51f1e769.exe
Analysis ID: 1554998
MD5: 3d49b064ee1a75fb60a829078a173456
SHA1: 310734989ce6bca1649848d4403b6f4c7f263167
SHA256: d9f25cc394bf90900187582eec063df5b50cf1e212354148d6ee2e0a51f1e769
Tags: ConsolHQLTDexeuser-JAMESWT_MHT
Infos:

Detection

Score: 32
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Signatures

Query firmware table information (likely to detect VMs)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Uses 32bit PE files
Source: zc4BfiuQaY.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: zc4BfiuQaY.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: wininet.pdb source: zc4BfiuQaY.exe, 00000000.00000003.2097824779.00000000058CE000.00000004.00000020.00020000.00000000.sdmp, shi6806.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbo source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.0000000004526000.00000004.00001000.00020000.00000000.sdmp, 516c7b.msi.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.0000000004526000.00000004.00001000.00020000.00000000.sdmp, 516c7b.msi.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: zc4BfiuQaY.exe, decoder.dll.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, 516c7b.msi.2.dr, MSI7122.tmp.2.dr, MSI6A3B.tmp.0.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, 516c7b.msi.2.dr, MSI7122.tmp.2.dr, MSI6A3B.tmp.0.dr, Installer.msi.0.dr
Source: Binary string: wininet.pdbUGP source: zc4BfiuQaY.exe, 00000000.00000003.2097824779.00000000058CE000.00000004.00000020.00020000.00000000.sdmp, shi6806.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, 516c7b.msi.2.dr, MSI68D3.tmp.0.dr, MSI7015.tmp.2.dr, MSI70C2.tmp.2.dr, Installer.msi.0.dr, MSI7101.tmp.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, 516c7b.msi.2.dr, MSI68D3.tmp.0.dr, MSI7015.tmp.2.dr, MSI70C2.tmp.2.dr, Installer.msi.0.dr, MSI7101.tmp.2.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: zc4BfiuQaY.exe, decoder.dll.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, 516c7b.msi.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: zc4BfiuQaY.exe
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\SysWOW64\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F243B0 FindFirstFileW,GetLastError,FindClose, 0_2_00F243B0
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F42380 FindFirstFileW,FindClose, 0_2_00F42380
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E3A950 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW, 0_2_00E3A950
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F414D0 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 0_2_00F414D0
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F23DE0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW, 0_2_00F23DE0
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F2C0B0 FindFirstFileW,FindClose,FindClose, 0_2_00F2C0B0
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F3E3A0 FindFirstFileW,FindClose, 0_2_00F3E3A0
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F4E610 FindFirstFileW,FindClose, 0_2_00F4E610
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F4B3D0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00F4B3D0
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F4B7D0 FindFirstFileW,FindClose, 0_2_00F4B7D0
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F23A50 FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 0_2_00F23A50
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F5FB20 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00F5FB20
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F4A620 _wcschr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection, 0_2_00F4A620
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.5:49704
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.5:60249
Source: zc4BfiuQaY.exe String found in binary or memory: RShlwapi.dllShell32.dllmsiexec.exebinJavaHomeSoftware\JavaSoft\Java Development Kit\Software\JavaSoft\Java Runtime Environment\FlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmp.part= "GETattachmentDLD123filenamecharsetutf-16ISO-8859-1POSTutf-8Local Network ServerFTP ServerUS-ASCIIAdvancedInstallerRange: bytes=%u- equals www.yahoo.com (Yahoo)
Source: zc4BfiuQaY.exe, 00000000.00000002.2187176747.0000000001038000.00000002.00000001.01000000.00000003.sdmp, zc4BfiuQaY.exe, 00000000.00000000.2042273980.0000000001038000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: Shlwapi.dllShell32.dllmsiexec.exebinJavaHomeSoftware\JavaSoft\Java Development Kit\Software\JavaSoft\Java Runtime Environment\FlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmp.part= "GETattachmentDLD123filenamecharsetutf-16ISO-8859-1POSTutf-8Local Network ServerFTP ServerUS-ASCIIAdvancedInstallerRange: bytes=%u- equals www.yahoo.com (Yahoo)
Source: shi6806.tmp.0.dr String found in binary or memory: http://.css
Source: shi6806.tmp.0.dr String found in binary or memory: http://.jpg
Source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.0000000004526000.00000004.00001000.00020000.00000000.sdmp, zc4BfiuQaY.exe, 00000000.00000003.2081057261.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, 516c7b.msi.2.dr, MSI68D3.tmp.0.dr, MSI7122.tmp.2.dr, MSI6A3B.tmp.0.dr, MSI7015.tmp.2.dr, MSI70C2.tmp.2.dr, Installer.msi.0.dr, MSI7101.tmp.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.0000000004526000.00000004.00001000.00020000.00000000.sdmp, zc4BfiuQaY.exe, 00000000.00000003.2081057261.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, zc4BfiuQaY.exe, 00000000.00000003.2184922952.0000000004305000.00000004.00000020.00020000.00000000.sdmp, 516c7b.msi.2.dr, MSI68D3.tmp.0.dr, MSI7122.tmp.2.dr, MSI6A3B.tmp.0.dr, MSI7015.tmp.2.dr, MSI70C2.tmp.2.dr, Installer.msi.0.dr, MSI7101.tmp.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.0000000004526000.00000004.00001000.00020000.00000000.sdmp, zc4BfiuQaY.exe, 00000000.00000003.2081057261.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, 516c7b.msi.2.dr, MSI68D3.tmp.0.dr, MSI7122.tmp.2.dr, MSI6A3B.tmp.0.dr, MSI7015.tmp.2.dr, MSI70C2.tmp.2.dr, Installer.msi.0.dr, MSI7101.tmp.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.0000000004526000.00000004.00001000.00020000.00000000.sdmp, zc4BfiuQaY.exe, 00000000.00000003.2081057261.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, zc4BfiuQaY.exe, 00000000.00000003.2184922952.0000000004305000.00000004.00000020.00020000.00000000.sdmp, 516c7b.msi.2.dr, MSI68D3.tmp.0.dr, MSI7122.tmp.2.dr, MSI6A3B.tmp.0.dr, MSI7015.tmp.2.dr, MSI70C2.tmp.2.dr, Installer.msi.0.dr, MSI7101.tmp.2.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.0000000004526000.00000004.00001000.00020000.00000000.sdmp, zc4BfiuQaY.exe, 00000000.00000003.2081057261.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, 516c7b.msi.2.dr, MSI68D3.tmp.0.dr, MSI7122.tmp.2.dr, MSI6A3B.tmp.0.dr, MSI7015.tmp.2.dr, MSI70C2.tmp.2.dr, Installer.msi.0.dr, MSI7101.tmp.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.0000000004526000.00000004.00001000.00020000.00000000.sdmp, zc4BfiuQaY.exe, 00000000.00000003.2081057261.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, zc4BfiuQaY.exe, 00000000.00000003.2184922952.0000000004305000.00000004.00000020.00020000.00000000.sdmp, 516c7b.msi.2.dr, MSI68D3.tmp.0.dr, MSI7122.tmp.2.dr, MSI6A3B.tmp.0.dr, MSI7015.tmp.2.dr, MSI70C2.tmp.2.dr, Installer.msi.0.dr, MSI7101.tmp.2.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: shi6806.tmp.0.dr String found in binary or memory: http://html4/loose.dtd
Source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, 516c7b.msi.2.dr, Installer.msi.0.dr String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.0000000004526000.00000004.00001000.00020000.00000000.sdmp, zc4BfiuQaY.exe, 00000000.00000003.2081057261.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, 516c7b.msi.2.dr, MSI68D3.tmp.0.dr, MSI7122.tmp.2.dr, MSI6A3B.tmp.0.dr, MSI7015.tmp.2.dr, MSI70C2.tmp.2.dr, Installer.msi.0.dr, MSI7101.tmp.2.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.0000000004526000.00000004.00001000.00020000.00000000.sdmp, zc4BfiuQaY.exe, 00000000.00000003.2081057261.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, zc4BfiuQaY.exe, 00000000.00000003.2184922952.0000000004305000.00000004.00000020.00020000.00000000.sdmp, 516c7b.msi.2.dr, MSI68D3.tmp.0.dr, MSI7122.tmp.2.dr, MSI6A3B.tmp.0.dr, MSI7015.tmp.2.dr, MSI70C2.tmp.2.dr, Installer.msi.0.dr, MSI7101.tmp.2.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.0000000004526000.00000004.00001000.00020000.00000000.sdmp, zc4BfiuQaY.exe, 00000000.00000003.2081057261.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, zc4BfiuQaY.exe, 00000000.00000003.2184922952.0000000004305000.00000004.00000020.00020000.00000000.sdmp, 516c7b.msi.2.dr, MSI68D3.tmp.0.dr, MSI7122.tmp.2.dr, MSI6A3B.tmp.0.dr, MSI7015.tmp.2.dr, MSI70C2.tmp.2.dr, Installer.msi.0.dr, MSI7101.tmp.2.dr String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.0000000004526000.00000004.00001000.00020000.00000000.sdmp, zc4BfiuQaY.exe, 00000000.00000003.2081057261.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, zc4BfiuQaY.exe, 00000000.00000003.2184922952.0000000004305000.00000004.00000020.00020000.00000000.sdmp, 516c7b.msi.2.dr, MSI68D3.tmp.0.dr, MSI7122.tmp.2.dr, MSI6A3B.tmp.0.dr, MSI7015.tmp.2.dr, MSI70C2.tmp.2.dr, Installer.msi.0.dr, MSI7101.tmp.2.dr String found in binary or memory: http://t2.symcb.com0
Source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.0000000004526000.00000004.00001000.00020000.00000000.sdmp, zc4BfiuQaY.exe, 00000000.00000003.2081057261.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, zc4BfiuQaY.exe, 00000000.00000003.2184922952.0000000004305000.00000004.00000020.00020000.00000000.sdmp, 516c7b.msi.2.dr, MSI68D3.tmp.0.dr, MSI7122.tmp.2.dr, MSI6A3B.tmp.0.dr, MSI7015.tmp.2.dr, MSI70C2.tmp.2.dr, Installer.msi.0.dr, MSI7101.tmp.2.dr String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.0000000004526000.00000004.00001000.00020000.00000000.sdmp, zc4BfiuQaY.exe, 00000000.00000003.2081057261.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, zc4BfiuQaY.exe, 00000000.00000003.2184922952.0000000004305000.00000004.00000020.00020000.00000000.sdmp, 516c7b.msi.2.dr, MSI68D3.tmp.0.dr, MSI7122.tmp.2.dr, MSI6A3B.tmp.0.dr, MSI7015.tmp.2.dr, MSI70C2.tmp.2.dr, Installer.msi.0.dr, MSI7101.tmp.2.dr String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.0000000004526000.00000004.00001000.00020000.00000000.sdmp, zc4BfiuQaY.exe, 00000000.00000003.2081057261.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, zc4BfiuQaY.exe, 00000000.00000003.2184922952.0000000004305000.00000004.00000020.00020000.00000000.sdmp, 516c7b.msi.2.dr, MSI68D3.tmp.0.dr, MSI7122.tmp.2.dr, MSI6A3B.tmp.0.dr, MSI7015.tmp.2.dr, MSI70C2.tmp.2.dr, Installer.msi.0.dr, MSI7101.tmp.2.dr String found in binary or memory: http://tl.symcd.com0&
Source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.0000000004526000.00000004.00001000.00020000.00000000.sdmp, zc4BfiuQaY.exe, 00000000.00000003.2081057261.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, zc4BfiuQaY.exe, 00000000.00000003.2184922952.0000000004305000.00000004.00000020.00020000.00000000.sdmp, 516c7b.msi.2.dr, MSI68D3.tmp.0.dr, MSI7122.tmp.2.dr, MSI6A3B.tmp.0.dr, MSI7015.tmp.2.dr, MSI70C2.tmp.2.dr, Installer.msi.0.dr, MSI7101.tmp.2.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.0000000004526000.00000004.00001000.00020000.00000000.sdmp, zc4BfiuQaY.exe, 00000000.00000003.2081057261.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, zc4BfiuQaY.exe, 00000000.00000003.2184922952.0000000004305000.00000004.00000020.00020000.00000000.sdmp, 516c7b.msi.2.dr, MSI68D3.tmp.0.dr, MSI7122.tmp.2.dr, MSI6A3B.tmp.0.dr, MSI7015.tmp.2.dr, MSI70C2.tmp.2.dr, Installer.msi.0.dr, MSI7101.tmp.2.dr String found in binary or memory: https://www.advancedinstaller.com
Source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.0000000004526000.00000004.00001000.00020000.00000000.sdmp, zc4BfiuQaY.exe, 00000000.00000003.2081057261.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, 516c7b.msi.2.dr, MSI68D3.tmp.0.dr, MSI7122.tmp.2.dr, MSI6A3B.tmp.0.dr, MSI7015.tmp.2.dr, MSI70C2.tmp.2.dr, Installer.msi.0.dr, MSI7101.tmp.2.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.0000000004526000.00000004.00001000.00020000.00000000.sdmp, zc4BfiuQaY.exe, 00000000.00000003.2081057261.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, zc4BfiuQaY.exe, 00000000.00000003.2184922952.0000000004305000.00000004.00000020.00020000.00000000.sdmp, 516c7b.msi.2.dr, MSI68D3.tmp.0.dr, MSI7122.tmp.2.dr, MSI6A3B.tmp.0.dr, MSI7015.tmp.2.dr, MSI70C2.tmp.2.dr, Installer.msi.0.dr, MSI7101.tmp.2.dr String found in binary or memory: https://www.thawte.com/cps0/
Source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.0000000004526000.00000004.00001000.00020000.00000000.sdmp, zc4BfiuQaY.exe, 00000000.00000003.2081057261.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, zc4BfiuQaY.exe, 00000000.00000003.2184922952.0000000004305000.00000004.00000020.00020000.00000000.sdmp, 516c7b.msi.2.dr, MSI68D3.tmp.0.dr, MSI7122.tmp.2.dr, MSI6A3B.tmp.0.dr, MSI7015.tmp.2.dr, MSI70C2.tmp.2.dr, Installer.msi.0.dr, MSI7101.tmp.2.dr String found in binary or memory: https://www.thawte.com/repository0W
Contains functionality to call native functions
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F615E0 NtdllDefWindowProc_W, 0_2_00F615E0
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00EE1FB0 GetSystemDirectoryW,_wcschr,LoadLibraryExW,NtdllDefWindowProc_W, 0_2_00EE1FB0
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E80010 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W, 0_2_00E80010
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E32250 NtdllDefWindowProc_W, 0_2_00E32250
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E3C4F0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection, 0_2_00E3C4F0
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E38720 NtdllDefWindowProc_W, 0_2_00E38720
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E38890 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W, 0_2_00E38890
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E2EBE0 GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W, 0_2_00E2EBE0
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E80BAA ShowWindow,ShowWindow,GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW, 0_2_00E80BAA
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E80CE3 GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW, 0_2_00E80CE3
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E80C22 GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW, 0_2_00E80C22
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E76EE0 NtdllDefWindowProc_W, 0_2_00E76EE0
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E2F190 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,NtdllDefWindowProc_W,SysFreeString, 0_2_00E2F190
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E4D320 NtdllDefWindowProc_W, 0_2_00E4D320
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E415F0 NtdllDefWindowProc_W, 0_2_00E415F0
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E31670 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow, 0_2_00E31670
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E2F7C0 NtdllDefWindowProc_W, 0_2_00E2F7C0
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E31C90 NtdllDefWindowProc_W, 0_2_00E31C90
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00EC7F20 NtdllDefWindowProc_W, 0_2_00EC7F20
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\516c7b.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7015.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI70C2.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7101.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7122.tmp Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI7015.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E3A950 0_2_00E3A950
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F5B350 0_2_00F5B350
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00EFB7A0 0_2_00EFB7A0
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F37D70 0_2_00F37D70
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E46070 0_2_00E46070
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E441B0 0_2_00E441B0
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00FBE2BE 0_2_00FBE2BE
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E3E290 0_2_00E3E290
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00FBE64C 0_2_00FBE64C
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F02A50 0_2_00F02A50
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00FD8B95 0_2_00FD8B95
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E38CD0 0_2_00E38CD0
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E22F40 0_2_00E22F40
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E552F0 0_2_00E552F0
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E435A0 0_2_00E435A0
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F9D550 0_2_00F9D550
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00FD3631 0_2_00FD3631
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E47630 0_2_00E47630
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E7FA40 0_2_00E7FA40
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00FCDD6A 0_2_00FCDD6A
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E93FC0 0_2_00E93FC0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: String function: 00F1E6D0 appears 60 times
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: String function: 00E29390 appears 41 times
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: String function: 00E26FF0 appears 46 times
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: String function: 00E27070 appears 53 times
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: String function: 00E299C0 appears 69 times
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: String function: 00F1E770 appears 31 times
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: String function: 00E53810 appears 91 times
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: String function: 00E28800 appears 223 times
Sample file is different than original file name gathered from version info
Source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.0000000004526000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs zc4BfiuQaY.exe
Source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.0000000004526000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePrereq.dllF vs zc4BfiuQaY.exe
Source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.00000000043D0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelzmaextractor.dllF vs zc4BfiuQaY.exe
Source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.00000000043D0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAICustAct.dllF vs zc4BfiuQaY.exe
Source: zc4BfiuQaY.exe, 00000000.00000003.2097824779.00000000058CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewininet.dllD vs zc4BfiuQaY.exe
Source: zc4BfiuQaY.exe, 00000000.00000002.2187261507.00000000010E6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameInstaller.exe4 vs zc4BfiuQaY.exe
Source: zc4BfiuQaY.exe, 00000000.00000003.2045135504.000000000142F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDecoder.dllF vs zc4BfiuQaY.exe
Source: zc4BfiuQaY.exe Binary or memory string: OriginalFileNameInstaller.exe4 vs zc4BfiuQaY.exe
Source: zc4BfiuQaY.exe Binary or memory string: OriginalFilenameDecoder.dllF vs zc4BfiuQaY.exe
Uses 32bit PE files
Source: zc4BfiuQaY.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: shi6806.tmp.0.dr Binary string: \Device\NameResTrk\RecordNrtCloneOpenPacket
Source: classification engine Classification label: sus32.evad.winEXE@8/13@0/0
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F22230 FormatMessageW,GetLastError, 0_2_00F22230
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F4C990 GetDiskFreeSpaceExW, 0_2_00F4C990
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F66D50 CoCreateInstance, 0_2_00F66D50
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00EBAB40 FindResourceW,LoadResource,LockResource,SizeofResource, 0_2_00EBAB40
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe File created: C:\Users\user\AppData\Roaming\ConsolHQ LTD Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe File created: C:\Users\user\AppData\Local\Temp\shi6806.tmp Jump to behavior
Source: zc4BfiuQaY.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe File read: C:\Users\user\Desktop\zc4BfiuQaY.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\zc4BfiuQaY.exe "C:\Users\user\Desktop\zc4BfiuQaY.exe"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 55E60B238A8A3DD32D3B86B94F88D00E C
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\52455D3\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\zc4BfiuQaY.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488861 " AI_EUIMSI=""
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding DB9E10EE80EF0F3ED2D34BAE27880B07
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\52455D3\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\zc4BfiuQaY.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488861 " AI_EUIMSI="" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 55E60B238A8A3DD32D3B86B94F88D00E C Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding DB9E10EE80EF0F3ED2D34BAE27880B07 Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: davhlpr.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: lpk.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: zc4BfiuQaY.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: zc4BfiuQaY.exe Static file information: File size 49198904 > 1048576
Source: zc4BfiuQaY.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x216e00
Source: zc4BfiuQaY.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: zc4BfiuQaY.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: zc4BfiuQaY.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: zc4BfiuQaY.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: zc4BfiuQaY.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: zc4BfiuQaY.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: zc4BfiuQaY.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: zc4BfiuQaY.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wininet.pdb source: zc4BfiuQaY.exe, 00000000.00000003.2097824779.00000000058CE000.00000004.00000020.00020000.00000000.sdmp, shi6806.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbo source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.0000000004526000.00000004.00001000.00020000.00000000.sdmp, 516c7b.msi.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.0000000004526000.00000004.00001000.00020000.00000000.sdmp, 516c7b.msi.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: zc4BfiuQaY.exe, decoder.dll.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, 516c7b.msi.2.dr, MSI7122.tmp.2.dr, MSI6A3B.tmp.0.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, 516c7b.msi.2.dr, MSI7122.tmp.2.dr, MSI6A3B.tmp.0.dr, Installer.msi.0.dr
Source: Binary string: wininet.pdbUGP source: zc4BfiuQaY.exe, 00000000.00000003.2097824779.00000000058CE000.00000004.00000020.00020000.00000000.sdmp, shi6806.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, 516c7b.msi.2.dr, MSI68D3.tmp.0.dr, MSI7015.tmp.2.dr, MSI70C2.tmp.2.dr, Installer.msi.0.dr, MSI7101.tmp.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, 516c7b.msi.2.dr, MSI68D3.tmp.0.dr, MSI7015.tmp.2.dr, MSI70C2.tmp.2.dr, Installer.msi.0.dr, MSI7101.tmp.2.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: zc4BfiuQaY.exe, decoder.dll.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: zc4BfiuQaY.exe, 00000000.00000003.2081057261.00000000043D0000.00000004.00001000.00020000.00000000.sdmp, 516c7b.msi.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: zc4BfiuQaY.exe
Source: zc4BfiuQaY.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: zc4BfiuQaY.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: zc4BfiuQaY.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: zc4BfiuQaY.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: zc4BfiuQaY.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains a suspicious time stamp
Source: shi6806.tmp.0.dr Static PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F22350 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_00F22350
PE file contains sections with non-standard names
Source: shi6806.tmp.0.dr Static PE information: section name: .wpp_sf
Source: shi6806.tmp.0.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_3_013F8ED4 pushfd ; ret 0_3_013F8ED5
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_3_013F8ED4 pushfd ; ret 0_3_013F8ED5
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_3_01415B00 push ebx; ret 0_3_01415B01
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_3_01415B00 push ebx; ret 0_3_01415B01
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_3_0141BDF0 pushfd ; ret 0_3_0141BDF1
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_3_0141BDF0 pushfd ; ret 0_3_0141BDF1
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_3_01415B00 push ebx; ret 0_3_01415B01
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_3_01415B00 push ebx; ret 0_3_01415B01
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_3_0141BDF0 pushfd ; ret 0_3_0141BDF1
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_3_0141BDF0 pushfd ; ret 0_3_0141BDF1
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_3_013F8ED4 pushfd ; ret 0_3_013F8ED5
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_3_013F8ED4 pushfd ; ret 0_3_013F8ED5
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E8A486 push esi; ret 0_2_00E8A488
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00FB6C6E push ecx; ret 0_2_00FB6C81
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F03330 push ecx; mov dword ptr [esp], 3F800000h 0_2_00F03478
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E35BE0 push ecx; mov dword ptr [esp], ecx 0_2_00E35BE1
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7122.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7101.tmp Jump to dropped file
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe File created: C:\Users\user\AppData\Local\Temp\MSI68D3.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7015.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI70C2.tmp Jump to dropped file
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe File created: C:\Users\user\AppData\Local\Temp\shi6806.tmp Jump to dropped file
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe File created: C:\Users\user\AppData\Local\Temp\MSI6A3B.tmp Jump to dropped file
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe File created: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\decoder.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7122.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7101.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7015.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI70C2.tmp Jump to dropped file
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\SysWOW64\msiexec.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe System information queried: FirmwareTableInformation Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI7122.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI7101.tmp Jump to dropped file
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI68D3.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI70C2.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI7015.tmp Jump to dropped file
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi6806.tmp Jump to dropped file
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6A3B.tmp Jump to dropped file
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\decoder.dll Jump to dropped file
Found evaded block containing many API calls
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Evaded block: after key decision
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe File Volume queried: C:\Users\user\AppData\Roaming FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe File Volume queried: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe File Volume queried: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\52455D3 FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F243B0 FindFirstFileW,GetLastError,FindClose, 0_2_00F243B0
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F42380 FindFirstFileW,FindClose, 0_2_00F42380
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E3A950 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW, 0_2_00E3A950
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F414D0 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 0_2_00F414D0
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F23DE0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW, 0_2_00F23DE0
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F2C0B0 FindFirstFileW,FindClose,FindClose, 0_2_00F2C0B0
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F3E3A0 FindFirstFileW,FindClose, 0_2_00F3E3A0
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F4E610 FindFirstFileW,FindClose, 0_2_00F4E610
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F4B3D0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00F4B3D0
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F4B7D0 FindFirstFileW,FindClose, 0_2_00F4B7D0
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F23A50 FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 0_2_00F23A50
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F5FB20 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00F5FB20
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F4A620 _wcschr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection, 0_2_00F4A620
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00FB365A VirtualQuery,GetSystemInfo, 0_2_00FB365A
Source: zc4BfiuQaY.exe Binary or memory string: &VmCi
Source: Installer.msi.0.dr Binary or memory string: RegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00FBAD13 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00FBAD13
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F577C0 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,FlushFileBuffers,WriteFile,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,OutputDebugStringW,WriteFile,WriteFile,FlushFileBuffers,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers, 0_2_00F577C0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F22350 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_00F22350
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00FCC66D mov ecx, dword ptr fs:[00000030h] 0_2_00FCC66D
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00FD783E mov eax, dword ptr fs:[00000030h] 0_2_00FD783E
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00FB5CA1 mov esi, dword ptr fs:[00000030h] 0_2_00FB5CA1
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00FB5D0D GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree, 0_2_00FB5D0D
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00E521E0 __set_se_translator,SetUnhandledExceptionFilter, 0_2_00E521E0
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00FB6738 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00FB6738
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00FBAD13 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00FBAD13
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Process created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\consolhq ltd\consolehq 1.12.3\install\52455d3\installer.msi" ai_setupexepath=c:\users\user\desktop\zc4bfiuqay.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1731488861 " ai_euimsi=""
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Process created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\consolhq ltd\consolehq 1.12.3\install\52455d3\installer.msi" ai_setupexepath=c:\users\user\desktop\zc4bfiuqay.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1731488861 " ai_euimsi="" Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F4EAB0 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle, 0_2_00F4EAB0
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: GetLocaleInfoW,GetLocaleInfoW,MsgWaitForMultipleObjectsEx,MsgWaitForMultipleObjectsEx,PeekMessageW,TranslateMessage,DispatchMessageW,PeekMessageW,TranslateMessage,DispatchMessageW,MsgWaitForMultipleObjectsEx, 0_2_00F44050
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: GetLocaleInfoW, 0_2_00FD41E6
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: GetLocaleInfoW, 0_2_00FD0186
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00FD430F
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00FD44E4
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: GetLocaleInfoW, 0_2_00FD4415
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_00FD3B80
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: EnumSystemLocalesW, 0_2_00FCFC09
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: GetLocaleInfoW, 0_2_00FD3D7B
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: EnumSystemLocalesW, 0_2_00FD3E6D
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: EnumSystemLocalesW, 0_2_00FD3E22
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00FD3F93
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: EnumSystemLocalesW, 0_2_00FD3F08
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F5BB20 CreateNamedPipeW,CreateFileW, 0_2_00F5BB20
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00FB72F4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00FB72F4
Source: C:\Users\user\Desktop\zc4BfiuQaY.exe Code function: 0_2_00F5A240 GetUserNameW,GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW, 0_2_00F5A240
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1554998 Sample: zc4BfiuQaY.exe Startdate: 13/11/2024 Architecture: WINDOWS Score: 32 5 msiexec.exe 3 9 2->5         started        8 zc4BfiuQaY.exe 40 2->8         started        file3 17 C:\Windows\Installer\MSI7122.tmp, PE32 5->17 dropped 19 C:\Windows\Installer\MSI7101.tmp, PE32 5->19 dropped 21 C:\Windows\Installer\MSI70C2.tmp, PE32 5->21 dropped 23 C:\Windows\Installer\MSI7015.tmp, PE32 5->23 dropped 10 msiexec.exe 5->10         started        13 msiexec.exe 5->13         started        25 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 8->25 dropped 27 C:\Users\user\AppData\Local\...\shi6806.tmp, PE32+ 8->27 dropped 29 C:\Users\user\AppData\Local\...\MSI6A3B.tmp, PE32 8->29 dropped 31 C:\Users\user\AppData\Local\...\MSI68D3.tmp, PE32 8->31 dropped 15 msiexec.exe 5 8->15         started        process4 signatures5 33 Query firmware table information (likely to detect VMs) 10->33
No contacted IP infos