Windows Analysis Report
pYcFueZgOd.exe

Overview

General Information

Sample name: pYcFueZgOd.exe
renamed because original name is a hash value
Original sample name: 5c66f9bca9f767940d4cb22b59f77a5459c8625bdcc4824fbe42af548e5e5d83.exe
Analysis ID: 1554999
MD5: 196bba4588947b52ece8dc38cd566b24
SHA1: cb31b0ce35428b4d8ad22a52547c04a517d89e68
SHA256: 5c66f9bca9f767940d4cb22b59f77a5459c8625bdcc4824fbe42af548e5e5d83
Tags: ConsolHQLTDexeuser-JAMESWT_MHT
Infos:

Detection

Score: 32
Range: 0 - 100
Whitelisted: false
Confidence: 0%

Signatures

Query firmware table information (likely to detect VMs)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Uses 32bit PE files
Source: pYcFueZgOd.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: pYcFueZgOd.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: wininet.pdb source: pYcFueZgOd.exe, 00000000.00000003.2217124522.0000000005BA6000.00000004.00000020.00020000.00000000.sdmp, shi7EE7.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbo source: pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, 6c83b9.msi.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: pYcFueZgOd.exe, decoder.dll.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, 6c83b9.msi.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, MSI814A.tmp.0.dr, MSI8811.tmp.2.dr, 6c83b9.msi.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, MSI814A.tmp.0.dr, MSI8811.tmp.2.dr, 6c83b9.msi.2.dr, Installer.msi.0.dr
Source: Binary string: wininet.pdbUGP source: pYcFueZgOd.exe, 00000000.00000003.2217124522.0000000005BA6000.00000004.00000020.00020000.00000000.sdmp, shi7EE7.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: pYcFueZgOd.exe, decoder.dll.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, 6c83b9.msi.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: pYcFueZgOd.exe
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\SysWOW64\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DC2380 FindFirstFileW,FindClose, 0_2_00DC2380
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DA43B0 FindFirstFileW,GetLastError,FindClose, 0_2_00DA43B0
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00CBA950 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW, 0_2_00CBA950
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DC14D0 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 0_2_00DC14D0
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DA3DE0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW, 0_2_00DA3DE0
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DAC0B0 FindFirstFileW,FindClose,FindClose, 0_2_00DAC0B0
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DBE3A0 FindFirstFileW,FindClose, 0_2_00DBE3A0
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DCE610 FindFirstFileW,FindClose, 0_2_00DCE610
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DCB3D0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00DCB3D0
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DCB7D0 FindFirstFileW,FindClose, 0_2_00DCB7D0
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DA3A50 FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 0_2_00DA3A50
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DDFB20 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00DDFB20
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DCA620 _wcschr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection, 0_2_00DCA620
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.6:49748
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.6:49964
Source: pYcFueZgOd.exe String found in binary or memory: RShlwapi.dllShell32.dllmsiexec.exebinJavaHomeSoftware\JavaSoft\Java Development Kit\Software\JavaSoft\Java Runtime Environment\FlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmp.part= "GETattachmentDLD123filenamecharsetutf-16ISO-8859-1POSTutf-8Local Network ServerFTP ServerUS-ASCIIAdvancedInstallerRange: bytes=%u- equals www.yahoo.com (Yahoo)
Source: pYcFueZgOd.exe, 00000000.00000002.2282585266.0000000000EB8000.00000002.00000001.01000000.00000003.sdmp, pYcFueZgOd.exe, 00000000.00000000.2159340655.0000000000EB8000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: Shlwapi.dllShell32.dllmsiexec.exebinJavaHomeSoftware\JavaSoft\Java Development Kit\Software\JavaSoft\Java Runtime Environment\FlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmp.part= "GETattachmentDLD123filenamecharsetutf-16ISO-8859-1POSTutf-8Local Network ServerFTP ServerUS-ASCIIAdvancedInstallerRange: bytes=%u- equals www.yahoo.com (Yahoo)
Source: shi7EE7.tmp.0.dr String found in binary or memory: http://.css
Source: shi7EE7.tmp.0.dr String found in binary or memory: http://.jpg
Source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: pYcFueZgOd.exe, 00000000.00000002.2284677443.0000000004606000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: pYcFueZgOd.exe, 00000000.00000002.2284677443.0000000004606000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: pYcFueZgOd.exe, 00000000.00000002.2284677443.0000000004606000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: shi7EE7.tmp.0.dr String found in binary or memory: http://html4/loose.dtd
Source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, 6c83b9.msi.2.dr, Installer.msi.0.dr String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: pYcFueZgOd.exe, 00000000.00000002.2284677443.0000000004606000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: pYcFueZgOd.exe, 00000000.00000002.2284677443.0000000004606000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: pYcFueZgOd.exe, 00000000.00000002.2284677443.0000000004606000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: http://t2.symcb.com0
Source: pYcFueZgOd.exe, 00000000.00000002.2284677443.0000000004606000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: pYcFueZgOd.exe, 00000000.00000002.2284677443.0000000004606000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: pYcFueZgOd.exe, 00000000.00000002.2284677443.0000000004606000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: http://tl.symcd.com0&
Source: pYcFueZgOd.exe, 00000000.00000002.2284677443.0000000004606000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: pYcFueZgOd.exe, 00000000.00000002.2284677443.0000000004606000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: https://www.advancedinstaller.com
Source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: pYcFueZgOd.exe, 00000000.00000002.2284677443.0000000004606000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: https://www.thawte.com/cps0/
Source: pYcFueZgOd.exe, 00000000.00000002.2284677443.0000000004606000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2279677005.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI814A.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8811.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.dr String found in binary or memory: https://www.thawte.com/repository0W
Contains functionality to call native functions
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DE15E0 NtdllDefWindowProc_W, 0_2_00DE15E0
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00D61FB0 GetSystemDirectoryW,_wcschr,LoadLibraryExW,NtdllDefWindowProc_W, 0_2_00D61FB0
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00D00010 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W, 0_2_00D00010
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00CB2250 NtdllDefWindowProc_W, 0_2_00CB2250
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00CBC4F0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection, 0_2_00CBC4F0
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00CB8720 NtdllDefWindowProc_W, 0_2_00CB8720
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00CB8890 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W, 0_2_00CB8890
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00CAEBE0 GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W, 0_2_00CAEBE0
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00D00BAA ShowWindow,ShowWindow,GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW, 0_2_00D00BAA
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00D00CE3 GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW, 0_2_00D00CE3
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00D00C22 GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW, 0_2_00D00C22
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00CF6EE0 NtdllDefWindowProc_W, 0_2_00CF6EE0
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00CAF190 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,NtdllDefWindowProc_W,SysFreeString, 0_2_00CAF190
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00CCD320 NtdllDefWindowProc_W, 0_2_00CCD320
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00CC15F0 NtdllDefWindowProc_W, 0_2_00CC15F0
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00CB1670 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow, 0_2_00CB1670
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00CAF7C0 NtdllDefWindowProc_W, 0_2_00CAF7C0
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00CB1C90 NtdllDefWindowProc_W, 0_2_00CB1C90
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00D47F20 NtdllDefWindowProc_W, 0_2_00D47F20
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\6c83b9.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8743.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI87A2.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI87F1.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8811.tmp Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI8743.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_3_01502CB4 0_3_01502CB4
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_3_01502CB4 0_3_01502CB4
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_3_014DF770 0_3_014DF770
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_3_01502CB4 0_3_01502CB4
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_3_01502CB4 0_3_01502CB4
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00CBA950 0_2_00CBA950
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DDB350 0_2_00DDB350
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DB7D70 0_2_00DB7D70
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00CC6070 0_2_00CC6070
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00CC41B0 0_2_00CC41B0
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00CBE290 0_2_00CBE290
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00E3E2BE 0_2_00E3E2BE
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00E3E64C 0_2_00E3E64C
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00D82A50 0_2_00D82A50
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00E58B95 0_2_00E58B95
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00CB8CD0 0_2_00CB8CD0
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00CA2F40 0_2_00CA2F40
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00CD52F0 0_2_00CD52F0
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00CC35A0 0_2_00CC35A0
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00E1D550 0_2_00E1D550
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00E53631 0_2_00E53631
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00CC7630 0_2_00CC7630
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00D7B7A0 0_2_00D7B7A0
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00CFFA40 0_2_00CFFA40
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00E4DD6A 0_2_00E4DD6A
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00D13FC0 0_2_00D13FC0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: String function: 00D9E6D0 appears 59 times
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: String function: 00CA8800 appears 223 times
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: String function: 00D9E770 appears 31 times
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: String function: 00CA9390 appears 41 times
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: String function: 00CD3810 appears 90 times
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: String function: 00CA99C0 appears 69 times
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: String function: 00CA7070 appears 53 times
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: String function: 00CA6FF0 appears 46 times
Sample file is different than original file name gathered from version info
Source: pYcFueZgOd.exe, 00000000.00000003.2162923408.000000000151C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDecoder.dllF vs pYcFueZgOd.exe
Source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelzmaextractor.dllF vs pYcFueZgOd.exe
Source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAICustAct.dllF vs pYcFueZgOd.exe
Source: pYcFueZgOd.exe, 00000000.00000002.2282867444.0000000000F66000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameInstaller.exe8 vs pYcFueZgOd.exe
Source: pYcFueZgOd.exe, 00000000.00000003.2217124522.0000000005BA6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewininet.dllD vs pYcFueZgOd.exe
Source: pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs pYcFueZgOd.exe
Source: pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePrereq.dllF vs pYcFueZgOd.exe
Source: pYcFueZgOd.exe Binary or memory string: OriginalFileNameInstaller.exe8 vs pYcFueZgOd.exe
Source: pYcFueZgOd.exe Binary or memory string: OriginalFilenameDecoder.dllF vs pYcFueZgOd.exe
Uses 32bit PE files
Source: pYcFueZgOd.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: shi7EE7.tmp.0.dr Binary string: \Device\NameResTrk\RecordNrtCloneOpenPacket
Source: classification engine Classification label: sus32.evad.winEXE@8/13@0/0
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DA2230 FormatMessageW,GetLastError, 0_2_00DA2230
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DCC990 GetDiskFreeSpaceExW, 0_2_00DCC990
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DE6D50 CoCreateInstance, 0_2_00DE6D50
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00D3AB40 FindResourceW,LoadResource,LockResource,SizeofResource, 0_2_00D3AB40
Source: C:\Users\user\Desktop\pYcFueZgOd.exe File created: C:\Users\user\AppData\Roaming\ConsolHQ LTD Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe File created: C:\Users\user\AppData\Local\Temp\shi7EE7.tmp Jump to behavior
Source: pYcFueZgOd.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\pYcFueZgOd.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe File read: C:\Users\user\Desktop\pYcFueZgOd.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\pYcFueZgOd.exe "C:\Users\user\Desktop\pYcFueZgOd.exe"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 161E3B14046EDAE7687DCE0A2DE92319 C
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\ConsolHQ LTD\SkimarUtils 1.12.3\install\52455D3\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\pYcFueZgOd.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488858 " AI_EUIMSI=""
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 086D93F0B7AD81A713F30BD085B16B8B
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\ConsolHQ LTD\SkimarUtils 1.12.3\install\52455D3\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\pYcFueZgOd.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488858 " AI_EUIMSI="" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 161E3B14046EDAE7687DCE0A2DE92319 C Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 086D93F0B7AD81A713F30BD085B16B8B Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: davhlpr.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: lpk.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: pYcFueZgOd.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: pYcFueZgOd.exe Static file information: File size 49199285 > 1048576
Source: pYcFueZgOd.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x216e00
Source: pYcFueZgOd.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: pYcFueZgOd.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: pYcFueZgOd.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: pYcFueZgOd.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: pYcFueZgOd.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: pYcFueZgOd.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: pYcFueZgOd.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: pYcFueZgOd.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wininet.pdb source: pYcFueZgOd.exe, 00000000.00000003.2217124522.0000000005BA6000.00000004.00000020.00020000.00000000.sdmp, shi7EE7.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbo source: pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, 6c83b9.msi.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: pYcFueZgOd.exe, decoder.dll.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: pYcFueZgOd.exe, 00000000.00000003.2203217484.0000000004816000.00000004.00001000.00020000.00000000.sdmp, 6c83b9.msi.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, MSI814A.tmp.0.dr, MSI8811.tmp.2.dr, 6c83b9.msi.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, MSI814A.tmp.0.dr, MSI8811.tmp.2.dr, 6c83b9.msi.2.dr, Installer.msi.0.dr
Source: Binary string: wininet.pdbUGP source: pYcFueZgOd.exe, 00000000.00000003.2217124522.0000000005BA6000.00000004.00000020.00020000.00000000.sdmp, shi7EE7.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, MSI7F84.tmp.0.dr, MSI87F1.tmp.2.dr, MSI8743.tmp.2.dr, 6c83b9.msi.2.dr, MSI87A2.tmp.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: pYcFueZgOd.exe, decoder.dll.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: pYcFueZgOd.exe, 00000000.00000003.2203217484.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, 6c83b9.msi.2.dr, Installer.msi.0.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: pYcFueZgOd.exe
Source: pYcFueZgOd.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: pYcFueZgOd.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: pYcFueZgOd.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: pYcFueZgOd.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: pYcFueZgOd.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains a suspicious time stamp
Source: shi7EE7.tmp.0.dr Static PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DA2350 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_00DA2350
PE file contains sections with non-standard names
Source: shi7EE7.tmp.0.dr Static PE information: section name: .wpp_sf
Source: shi7EE7.tmp.0.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_3_01509841 pushfd ; retf 0_3_01509842
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_3_01509841 pushfd ; retf 0_3_01509842
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_3_01504D7B push edi; ret 0_3_01504E19
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_3_01504D7B push edi; ret 0_3_01504E19
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_3_01504080 push eax; ret 0_3_01504081
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_3_01504080 push eax; ret 0_3_01504081
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_3_01504B21 push ebx; ret 0_3_01504B49
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_3_01504B21 push ebx; ret 0_3_01504B49
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_3_014ED4FD push 5563014Eh; iretd 0_3_014ED502
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_3_01509841 pushfd ; retf 0_3_01509842
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_3_01509841 pushfd ; retf 0_3_01509842
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_3_01504D7B push edi; ret 0_3_01504E19
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_3_01504D7B push edi; ret 0_3_01504E19
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_3_01504080 push eax; ret 0_3_01504081
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_3_01504080 push eax; ret 0_3_01504081
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_3_01504B21 push ebx; ret 0_3_01504B49
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_3_01504B21 push ebx; ret 0_3_01504B49
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00D0A486 push esi; ret 0_2_00D0A488
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00E36C6E push ecx; ret 0_2_00E36C81
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00D83330 push ecx; mov dword ptr [esp], 3F800000h 0_2_00D83478
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00CB5BE0 push ecx; mov dword ptr [esp], ecx 0_2_00CB5BE1
Drops PE files
Source: C:\Users\user\Desktop\pYcFueZgOd.exe File created: C:\Users\user\AppData\Roaming\ConsolHQ LTD\SkimarUtils 1.12.3\install\decoder.dll Jump to dropped file
Source: C:\Users\user\Desktop\pYcFueZgOd.exe File created: C:\Users\user\AppData\Local\Temp\MSI7F84.tmp Jump to dropped file
Source: C:\Users\user\Desktop\pYcFueZgOd.exe File created: C:\Users\user\AppData\Local\Temp\MSI814A.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8743.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI87F1.tmp Jump to dropped file
Source: C:\Users\user\Desktop\pYcFueZgOd.exe File created: C:\Users\user\AppData\Local\Temp\shi7EE7.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8811.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI87A2.tmp Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8743.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI87F1.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8811.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI87A2.tmp Jump to dropped file
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\SysWOW64\msiexec.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe System information queried: FirmwareTableInformation Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\ConsolHQ LTD\SkimarUtils 1.12.3\install\decoder.dll Jump to dropped file
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI7F84.tmp Jump to dropped file
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI814A.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI8743.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI87F1.tmp Jump to dropped file
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi7EE7.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI8811.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI87A2.tmp Jump to dropped file
Found evaded block containing many API calls
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Evaded block: after key decision
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\pYcFueZgOd.exe File Volume queried: C:\Users\user\AppData\Roaming FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe File Volume queried: C:\Users\user\AppData\Roaming\ConsolHQ LTD\SkimarUtils 1.12.3\install FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe File Volume queried: C:\Users\user\AppData\Roaming\ConsolHQ LTD\SkimarUtils 1.12.3\install\52455D3 FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DC2380 FindFirstFileW,FindClose, 0_2_00DC2380
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DA43B0 FindFirstFileW,GetLastError,FindClose, 0_2_00DA43B0
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00CBA950 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW, 0_2_00CBA950
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DC14D0 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 0_2_00DC14D0
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DA3DE0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW, 0_2_00DA3DE0
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DAC0B0 FindFirstFileW,FindClose,FindClose, 0_2_00DAC0B0
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DBE3A0 FindFirstFileW,FindClose, 0_2_00DBE3A0
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DCE610 FindFirstFileW,FindClose, 0_2_00DCE610
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DCB3D0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00DCB3D0
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DCB7D0 FindFirstFileW,FindClose, 0_2_00DCB7D0
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DA3A50 FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 0_2_00DA3A50
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DDFB20 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 0_2_00DDFB20
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DCA620 _wcschr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection, 0_2_00DCA620
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00E3365A VirtualQuery,GetSystemInfo, 0_2_00E3365A
Source: pYcFueZgOd.exe Binary or memory string: &VmCi
Source: Installer.msi.0.dr Binary or memory string: RegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00E3AD13 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00E3AD13
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DD77C0 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,FlushFileBuffers,WriteFile,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,OutputDebugStringW,WriteFile,WriteFile,FlushFileBuffers,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers, 0_2_00DD77C0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DA2350 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_00DA2350
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00E4C66D mov ecx, dword ptr fs:[00000030h] 0_2_00E4C66D
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00E5783E mov eax, dword ptr fs:[00000030h] 0_2_00E5783E
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00E35CA1 mov esi, dword ptr fs:[00000030h] 0_2_00E35CA1
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00E35D0D GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree, 0_2_00E35D0D
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00CD21E0 __set_se_translator,SetUnhandledExceptionFilter, 0_2_00CD21E0
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00E36738 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00E36738
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00E3AD13 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00E3AD13
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Process created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\consolhq ltd\skimarutils 1.12.3\install\52455d3\installer.msi" ai_setupexepath=c:\users\user\desktop\pycfuezgod.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1731488858 " ai_euimsi=""
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Process created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\consolhq ltd\skimarutils 1.12.3\install\52455d3\installer.msi" ai_setupexepath=c:\users\user\desktop\pycfuezgod.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1731488858 " ai_euimsi="" Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DCEAB0 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle, 0_2_00DCEAB0
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: GetLocaleInfoW,GetLocaleInfoW,MsgWaitForMultipleObjectsEx,MsgWaitForMultipleObjectsEx,PeekMessageW,TranslateMessage,DispatchMessageW,PeekMessageW,TranslateMessage,DispatchMessageW,MsgWaitForMultipleObjectsEx, 0_2_00DC4050
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: GetLocaleInfoW, 0_2_00E541E6
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: GetLocaleInfoW, 0_2_00E50186
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00E5430F
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00E544E4
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: GetLocaleInfoW, 0_2_00E54415
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_00E53B80
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: EnumSystemLocalesW, 0_2_00E4FC09
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: GetLocaleInfoW, 0_2_00E53D7B
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: EnumSystemLocalesW, 0_2_00E53E6D
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: EnumSystemLocalesW, 0_2_00E53E22
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00E53F93
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: EnumSystemLocalesW, 0_2_00E53F08
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DDBB20 CreateNamedPipeW,CreateFileW, 0_2_00DDBB20
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00E372F4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00E372F4
Source: C:\Users\user\Desktop\pYcFueZgOd.exe Code function: 0_2_00DDA240 GetUserNameW,GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW, 0_2_00DDA240
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1554999 Sample: pYcFueZgOd.exe Startdate: 13/11/2024 Architecture: WINDOWS Score: 32 5 msiexec.exe 3 9 2->5         started        8 pYcFueZgOd.exe 40 2->8         started        file3 17 C:\Windows\Installer\MSI8811.tmp, PE32 5->17 dropped 19 C:\Windows\Installer\MSI87F1.tmp, PE32 5->19 dropped 21 C:\Windows\Installer\MSI87A2.tmp, PE32 5->21 dropped 23 C:\Windows\Installer\MSI8743.tmp, PE32 5->23 dropped 10 msiexec.exe 5->10         started        13 msiexec.exe 5->13         started        25 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 8->25 dropped 27 C:\Users\user\AppData\Local\...\shi7EE7.tmp, PE32+ 8->27 dropped 29 C:\Users\user\AppData\Local\...\MSI814A.tmp, PE32 8->29 dropped 31 C:\Users\user\AppData\Local\...\MSI7F84.tmp, PE32 8->31 dropped 15 msiexec.exe 5 8->15         started        process4 signatures5 33 Query firmware table information (likely to detect VMs) 10->33
No contacted IP infos