Windows Analysis Report
2c6HNWVywp.exe

Overview

General Information

Sample name: 2c6HNWVywp.exe
renamed because original name is a hash value
Original sample name: 1cea2e1892ef23d3a26c3c00ba38db8e54e6fa520681f8fa49d0d21350d86ffa.exe
Analysis ID: 1555001
MD5: e121092ae5eef25b54cc9f8cf9401dbf
SHA1: 4dea659e2b2f67d0bfcba61fb3e41c2595d1a46b
SHA256: 1cea2e1892ef23d3a26c3c00ba38db8e54e6fa520681f8fa49d0d21350d86ffa
Tags: ConsolHQLTDexeuser-JAMESWT_MHT
Infos:

Detection

Score: 13
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Signatures

Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Uses 32bit PE files
Source: 2c6HNWVywp.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: 2c6HNWVywp.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: wininet.pdb source: 2c6HNWVywp.exe, 00000005.00000003.1325297826.0000000005777000.00000004.00000020.00020000.00000000.sdmp, shiFAD5.tmp.5.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbo source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 50fd66.msi.7.dr, Installer.msi.5.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 50fd66.msi.7.dr, Installer.msi.5.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: 2c6HNWVywp.exe, decoder.dll.5.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, MSIFF2E.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, Installer.msi.5.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, MSIFF2E.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, Installer.msi.5.dr
Source: Binary string: wininet.pdbUGP source: 2c6HNWVywp.exe, 00000005.00000003.1325297826.0000000005777000.00000004.00000020.00020000.00000000.sdmp, shiFAD5.tmp.5.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: 2c6HNWVywp.exe, decoder.dll.5.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 50fd66.msi.7.dr, Installer.msi.5.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: 2c6HNWVywp.exe
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\SysWOW64\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003A43B0 FindFirstFileW,GetLastError,FindClose, 5_2_003A43B0
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003C2380 FindFirstFileW,FindClose, 5_2_003C2380
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_002BA950 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW, 5_2_002BA950
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003C14D0 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 5_2_003C14D0
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003A3DE0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW, 5_2_003A3DE0
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003AC0B0 FindFirstFileW,FindClose,FindClose, 5_2_003AC0B0
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003BE3A0 FindFirstFileW,FindClose, 5_2_003BE3A0
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003CE610 FindFirstFileW,FindClose, 5_2_003CE610
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003CB3D0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 5_2_003CB3D0
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003CB7D0 FindFirstFileW,FindClose, 5_2_003CB7D0
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003A3A50 FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 5_2_003A3A50
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003DFB20 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 5_2_003DFB20
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003CA620 _wcschr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection, 5_2_003CA620
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.10:49773
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.10:49974
Source: 2c6HNWVywp.exe, 00000005.00000002.1405990433.00000000004B8000.00000002.00000001.01000000.00000004.sdmp, 2c6HNWVywp.exe, 00000005.00000000.1275948020.00000000004B8000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: <Shlwapi.dllShell32.dllmsiexec.exebinJavaHomeSoftware\JavaSoft\Java Development Kit\Software\JavaSoft\Java Runtime Environment\FlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmp.part= "GETattachmentDLD123filenamecharsetutf-16ISO-8859-1POSTutf-8Local Network ServerFTP ServerUS-ASCIIAdvancedInstallerRange: bytes=%u- equals www.yahoo.com (Yahoo)
Source: 2c6HNWVywp.exe String found in binary or memory: RShlwapi.dllShell32.dllmsiexec.exebinJavaHomeSoftware\JavaSoft\Java Development Kit\Software\JavaSoft\Java Runtime Environment\FlashWindowExFlashWindowKernel32.dllGetPackagePathhttp://www.example.comTESThttp://www.google.comhttp://www.yahoo.comtin9999.tmp.part= "GETattachmentDLD123filenamecharsetutf-16ISO-8859-1POSTutf-8Local Network ServerFTP ServerUS-ASCIIAdvancedInstallerRange: bytes=%u- equals www.yahoo.com (Yahoo)
Source: shiFAD5.tmp.5.dr String found in binary or memory: http://.css
Source: shiFAD5.tmp.5.dr String found in binary or memory: http://.jpg
Source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 2c6HNWVywp.exe, 00000005.00000003.1404516434.00000000064DD000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403180179.00000000064BC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403503096.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405701557.00000000064EC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405103223.00000000064DF000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 2c6HNWVywp.exe, 00000005.00000003.1404516434.00000000064DD000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403180179.00000000064BC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403503096.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405701557.00000000064EC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405103223.00000000064DF000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 2c6HNWVywp.exe, 00000005.00000003.1404516434.00000000064DD000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403180179.00000000064BC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403503096.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405701557.00000000064EC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405103223.00000000064DF000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: shiFAD5.tmp.5.dr String found in binary or memory: http://html4/loose.dtd
Source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 50fd66.msi.7.dr, Installer.msi.5.dr String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: 2c6HNWVywp.exe, 00000005.00000003.1404516434.00000000064DD000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403180179.00000000064BC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403503096.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405701557.00000000064EC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405103223.00000000064DF000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: 2c6HNWVywp.exe, 00000005.00000003.1404516434.00000000064DD000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403180179.00000000064BC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403503096.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405701557.00000000064EC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405103223.00000000064DF000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.dr String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: 2c6HNWVywp.exe, 00000005.00000003.1404516434.00000000064DD000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403180179.00000000064BC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403503096.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405701557.00000000064EC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405103223.00000000064DF000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.dr String found in binary or memory: http://t2.symcb.com0
Source: 2c6HNWVywp.exe, 00000005.00000003.1404516434.00000000064DD000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403180179.00000000064BC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403503096.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405701557.00000000064EC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405103223.00000000064DF000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.dr String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: 2c6HNWVywp.exe, 00000005.00000003.1404516434.00000000064DD000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403180179.00000000064BC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403503096.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405701557.00000000064EC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405103223.00000000064DF000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.dr String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: 2c6HNWVywp.exe, 00000005.00000003.1404516434.00000000064DD000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403180179.00000000064BC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403503096.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405701557.00000000064EC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405103223.00000000064DF000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.dr String found in binary or memory: http://tl.symcd.com0&
Source: 2c6HNWVywp.exe, 00000005.00000003.1404516434.00000000064DD000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403180179.00000000064BC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403503096.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405701557.00000000064EC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405103223.00000000064DF000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: 2c6HNWVywp.exe, 00000005.00000003.1404516434.00000000064DD000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403180179.00000000064BC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403503096.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405701557.00000000064EC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405103223.00000000064DF000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.dr String found in binary or memory: https://www.advancedinstaller.com
Source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: 2c6HNWVywp.exe, 00000005.00000003.1404516434.00000000064DD000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403180179.00000000064BC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403503096.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405701557.00000000064EC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405103223.00000000064DF000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.dr String found in binary or memory: https://www.thawte.com/cps0/
Source: 2c6HNWVywp.exe, 00000005.00000003.1404516434.00000000064DD000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403180179.00000000064BC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403503096.00000000064DC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405701557.00000000064EC000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1405103223.00000000064DF000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFF2E.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.dr String found in binary or memory: https://www.thawte.com/repository0W
Contains functionality to call native functions
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003E15E0 NtdllDefWindowProc_W, 5_2_003E15E0
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_00361FB0 GetSystemDirectoryW,_wcschr,LoadLibraryExW,NtdllDefWindowProc_W, 5_2_00361FB0
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_00300010 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W, 5_2_00300010
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_002B2250 NtdllDefWindowProc_W, 5_2_002B2250
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_002BC4F0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection, 5_2_002BC4F0
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_002B8720 NtdllDefWindowProc_W, 5_2_002B8720
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_002B8890 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W, 5_2_002B8890
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_00300BAA ShowWindow,ShowWindow,GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW, 5_2_00300BAA
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_002AEBE0 GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W, 5_2_002AEBE0
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_00300C22 GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW, 5_2_00300C22
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_00300CE3 GetWindowLongW,SetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,SetWindowLongW, 5_2_00300CE3
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_002F6EE0 NtdllDefWindowProc_W, 5_2_002F6EE0
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_002AF190 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,NtdllDefWindowProc_W,SysFreeString, 5_2_002AF190
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_002CD320 NtdllDefWindowProc_W, 5_2_002CD320
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_002C15F0 NtdllDefWindowProc_W, 5_2_002C15F0
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_002B1670 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow, 5_2_002B1670
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_002AF7C0 NtdllDefWindowProc_W, 5_2_002AF7C0
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_002B1C90 NtdllDefWindowProc_W, 5_2_002B1C90
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_00347F20 NtdllDefWindowProc_W, 5_2_00347F20
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\50fd66.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFE6F.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFECE.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFEFE.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFF2E.tmp Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSIFE6F.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_002BA950 5_2_002BA950
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003DB350 5_2_003DB350
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003B7D70 5_2_003B7D70
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_002C6070 5_2_002C6070
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_002C41B0 5_2_002C41B0
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_002BE290 5_2_002BE290
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_0043E2BE 5_2_0043E2BE
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_0043E64C 5_2_0043E64C
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_00382A50 5_2_00382A50
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_00458B95 5_2_00458B95
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_002B8CD0 5_2_002B8CD0
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_002A2F40 5_2_002A2F40
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_002D52F0 5_2_002D52F0
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_0041D550 5_2_0041D550
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_002C35A0 5_2_002C35A0
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_002C7630 5_2_002C7630
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_0037B7A0 5_2_0037B7A0
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_002FFA40 5_2_002FFA40
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_0044DD6A 5_2_0044DD6A
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_00313FC0 5_2_00313FC0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: String function: 002D3810 appears 90 times
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: String function: 002A7070 appears 53 times
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: String function: 002A6FF0 appears 46 times
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: String function: 002A99C0 appears 69 times
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: String function: 0039E6D0 appears 60 times
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: String function: 002A8800 appears 223 times
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: String function: 002A9390 appears 41 times
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: String function: 0039E770 appears 31 times
Sample file is different than original file name gathered from version info
Source: 2c6HNWVywp.exe Binary or memory string: OriginalFileName vs 2c6HNWVywp.exe
Source: 2c6HNWVywp.exe, 00000005.00000002.1406159021.0000000000566000.00000002.00000001.01000000.00000004.sdmp Binary or memory string: OriginalFileNameInstaller.exe4 vs 2c6HNWVywp.exe
Source: 2c6HNWVywp.exe, 00000005.00000003.1325297826.0000000005777000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewininet.dllD vs 2c6HNWVywp.exe
Source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelzmaextractor.dllF vs 2c6HNWVywp.exe
Source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAICustAct.dllF vs 2c6HNWVywp.exe
Source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs 2c6HNWVywp.exe
Source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePrereq.dllF vs 2c6HNWVywp.exe
Source: 2c6HNWVywp.exe Binary or memory string: OriginalFileNameInstaller.exe4 vs 2c6HNWVywp.exe
Source: 2c6HNWVywp.exe Binary or memory string: OriginalFilenameDecoder.dllF vs 2c6HNWVywp.exe
Uses 32bit PE files
Source: 2c6HNWVywp.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: shiFAD5.tmp.5.dr Binary string: \Device\NameResTrk\RecordNrtCloneOpenPacket
Source: classification engine Classification label: clean13.winEXE@8/13@0/0
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003A2230 FormatMessageW,GetLastError, 5_2_003A2230
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003CC990 GetDiskFreeSpaceExW, 5_2_003CC990
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003E6D50 CoCreateInstance, 5_2_003E6D50
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_0033AB40 FindResourceW,LoadResource,LockResource,SizeofResource, 5_2_0033AB40
Source: C:\Users\user\Desktop\2c6HNWVywp.exe File created: C:\Users\user\AppData\Roaming\ConsolHQ LTD Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe File created: C:\Users\user\AppData\Local\Temp\shiFAD5.tmp Jump to behavior
Source: 2c6HNWVywp.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\2c6HNWVywp.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 2c6HNWVywp.exe, 00000005.00000002.1407101921.0000000001475000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403575355.0000000001453000.00000004.00000020.00020000.00000000.sdmp, 2c6HNWVywp.exe, 00000005.00000003.1403667113.0000000001473000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT `Instance`,`PropertyName`,`PropertyValue` FROM `MultipleInstancesProps`K;q
Source: C:\Users\user\Desktop\2c6HNWVywp.exe File read: C:\Users\user\Desktop\2c6HNWVywp.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\2c6HNWVywp.exe "C:\Users\user\Desktop\2c6HNWVywp.exe"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C17C6E88C2AC26D77232308596BFC404 C
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\52455D3\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\2c6HNWVywp.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488998 " AI_EUIMSI=""
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 48383DF6A2E73543A85DB9345F606A15
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\52455D3\Installer.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\2c6HNWVywp.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731488998 " AI_EUIMSI="" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C17C6E88C2AC26D77232308596BFC404 C Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 48383DF6A2E73543A85DB9345F606A15 Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: davhlpr.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: lpk.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 2c6HNWVywp.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: 2c6HNWVywp.exe Static file information: File size 49189312 > 1048576
Source: 2c6HNWVywp.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x216e00
Source: 2c6HNWVywp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 2c6HNWVywp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 2c6HNWVywp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 2c6HNWVywp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 2c6HNWVywp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 2c6HNWVywp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 2c6HNWVywp.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 2c6HNWVywp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wininet.pdb source: 2c6HNWVywp.exe, 00000005.00000003.1325297826.0000000005777000.00000004.00000020.00020000.00000000.sdmp, shiFAD5.tmp.5.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbo source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 50fd66.msi.7.dr, Installer.msi.5.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.00000000042E5000.00000004.00000020.00020000.00000000.sdmp, 50fd66.msi.7.dr, Installer.msi.5.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb source: 2c6HNWVywp.exe, decoder.dll.5.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdbb source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, MSIFF2E.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, Installer.msi.5.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, MSIFF2E.tmp.7.dr, 50fd66.msi.7.dr, MSIFC10.tmp.5.dr, Installer.msi.5.dr
Source: Binary string: wininet.pdbUGP source: 2c6HNWVywp.exe, 00000005.00000003.1325297826.0000000005777000.00000004.00000020.00020000.00000000.sdmp, shiFAD5.tmp.5.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, MSIFE6F.tmp.7.dr, MSIFEFE.tmp.7.dr, 50fd66.msi.7.dr, MSIFB63.tmp.5.dr, Installer.msi.5.dr, MSIFECE.tmp.7.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\Decoder.pdb5 source: 2c6HNWVywp.exe, decoder.dll.5.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: 2c6HNWVywp.exe, 00000005.00000003.1321698606.000000000418F000.00000004.00000020.00020000.00000000.sdmp, 50fd66.msi.7.dr, Installer.msi.5.dr
Source: Binary string: C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb source: 2c6HNWVywp.exe
Source: 2c6HNWVywp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 2c6HNWVywp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 2c6HNWVywp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 2c6HNWVywp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 2c6HNWVywp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains a suspicious time stamp
Source: shiFAD5.tmp.5.dr Static PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003A2350 LoadLibraryW,GetProcAddress,FreeLibrary, 5_2_003A2350
PE file contains sections with non-standard names
Source: shiFAD5.tmp.5.dr Static PE information: section name: .wpp_sf
Source: shiFAD5.tmp.5.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_3_0140E7FC push es; retf 5_3_0140E8E6
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_3_0140E7FC push es; retf 5_3_0140E8E6
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_3_0140E7FC push es; retf 5_3_0140E8E6
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_3_01406C71 push es; ret 5_3_01407092
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_3_01406C71 push es; ret 5_3_01407092
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_3_01406C71 push es; ret 5_3_01407092
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_3_0140C4E8 push esi; iretd 5_3_0140C4E9
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_3_0140C4E8 push esi; iretd 5_3_0140C4E9
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_3_0140C4E8 push esi; iretd 5_3_0140C4E9
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_3_0140EA8B push es; ret 5_3_0140EA8E
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_3_0140EA8B push es; ret 5_3_0140EA8E
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_3_0140EA8B push es; ret 5_3_0140EA8E
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_3_014070A5 push es; retf 5_3_014070A6
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_3_014070A5 push es; retf 5_3_014070A6
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_3_014070A5 push es; retf 5_3_014070A6
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_3_014070A7 push es; iretd 5_3_014070B2
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_3_014070A7 push es; iretd 5_3_014070B2
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_3_014070A7 push es; iretd 5_3_014070B2
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_3_0140E7FC push es; retf 5_3_0140E8E6
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_3_0140E7FC push es; retf 5_3_0140E8E6
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_3_0140E7FC push es; retf 5_3_0140E8E6
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_3_01406C71 push es; ret 5_3_01407092
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_3_01406C71 push es; ret 5_3_01407092
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_3_01406C71 push es; ret 5_3_01407092
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_3_0140C4E8 push esi; iretd 5_3_0140C4E9
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_3_0140C4E8 push esi; iretd 5_3_0140C4E9
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_3_0140C4E8 push esi; iretd 5_3_0140C4E9
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_3_0140EA8B push es; ret 5_3_0140EA8E
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_3_0140EA8B push es; ret 5_3_0140EA8E
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_3_0140EA8B push es; ret 5_3_0140EA8E
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_3_014070A5 push es; retf 5_3_014070A6
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFECE.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFEFE.tmp Jump to dropped file
Source: C:\Users\user\Desktop\2c6HNWVywp.exe File created: C:\Users\user\AppData\Local\Temp\MSIFC10.tmp Jump to dropped file
Source: C:\Users\user\Desktop\2c6HNWVywp.exe File created: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\decoder.dll Jump to dropped file
Source: C:\Users\user\Desktop\2c6HNWVywp.exe File created: C:\Users\user\AppData\Local\Temp\MSIFB63.tmp Jump to dropped file
Source: C:\Users\user\Desktop\2c6HNWVywp.exe File created: C:\Users\user\AppData\Local\Temp\shiFAD5.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFF2E.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFE6F.tmp Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFECE.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFEFE.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFF2E.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFE6F.tmp Jump to dropped file
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIFECE.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIFEFE.tmp Jump to dropped file
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFC10.tmp Jump to dropped file
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\decoder.dll Jump to dropped file
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFB63.tmp Jump to dropped file
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiFAD5.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIFF2E.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIFE6F.tmp Jump to dropped file
Found evaded block containing many API calls
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Evaded block: after key decision
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\2c6HNWVywp.exe API coverage: 10.0 %
Source: C:\Users\user\Desktop\2c6HNWVywp.exe File Volume queried: C:\Users\user\AppData\Roaming FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe File Volume queried: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe File Volume queried: C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\52455D3 FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003A43B0 FindFirstFileW,GetLastError,FindClose, 5_2_003A43B0
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003C2380 FindFirstFileW,FindClose, 5_2_003C2380
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_002BA950 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,PathIsUNCW, 5_2_002BA950
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003C14D0 FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CreateEventW,CreateThread,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle, 5_2_003C14D0
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003A3DE0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW, 5_2_003A3DE0
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003AC0B0 FindFirstFileW,FindClose,FindClose, 5_2_003AC0B0
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003BE3A0 FindFirstFileW,FindClose, 5_2_003BE3A0
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003CE610 FindFirstFileW,FindClose, 5_2_003CE610
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003CB3D0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 5_2_003CB3D0
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003CB7D0 FindFirstFileW,FindClose, 5_2_003CB7D0
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003A3A50 FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 5_2_003A3A50
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003DFB20 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose, 5_2_003DFB20
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003CA620 _wcschr,GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection, 5_2_003CA620
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_0043365A VirtualQuery,GetSystemInfo, 5_2_0043365A
Source: Installer.msi.5.dr Binary or memory string: RegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: 2c6HNWVywp.exe Binary or memory string: VMci4
Source: 2c6HNWVywp.exe Binary or memory string: hgfS`
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_0043AD13 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_0043AD13
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003D77C0 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,FlushFileBuffers,WriteFile,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,OutputDebugStringW,WriteFile,WriteFile,FlushFileBuffers,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers, 5_2_003D77C0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003A2350 LoadLibraryW,GetProcAddress,FreeLibrary, 5_2_003A2350
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_0044C66D mov ecx, dword ptr fs:[00000030h] 5_2_0044C66D
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_0045783E mov eax, dword ptr fs:[00000030h] 5_2_0045783E
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_00435CA1 mov esi, dword ptr fs:[00000030h] 5_2_00435CA1
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_00435D0D GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree, 5_2_00435D0D
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_002D21E0 __set_se_translator,SetUnhandledExceptionFilter, 5_2_002D21E0
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_00436738 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_00436738
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_0043AD13 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_0043AD13
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Process created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\consolhq ltd\consolehq 1.12.3\install\52455d3\installer.msi" ai_setupexepath=c:\users\user\desktop\2c6hnwvywp.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1731488998 " ai_euimsi=""
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Process created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\consolhq ltd\consolehq 1.12.3\install\52455d3\installer.msi" ai_setupexepath=c:\users\user\desktop\2c6hnwvywp.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1731488998 " ai_euimsi="" Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003CEAB0 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle, 5_2_003CEAB0
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: GetLocaleInfoW,GetLocaleInfoW,MsgWaitForMultipleObjectsEx,MsgWaitForMultipleObjectsEx,PeekMessageW,TranslateMessage,DispatchMessageW,PeekMessageW,TranslateMessage,DispatchMessageW,MsgWaitForMultipleObjectsEx, 5_2_003C4050
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: GetLocaleInfoW, 5_2_004541E6
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: GetLocaleInfoW, 5_2_00450186
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 5_2_0045430F
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: GetLocaleInfoW, 5_2_00454415
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 5_2_004544E4
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 5_2_00453B80
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: EnumSystemLocalesW, 5_2_0044FC09
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: GetLocaleInfoW, 5_2_00453D7B
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: EnumSystemLocalesW, 5_2_00453E6D
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: EnumSystemLocalesW, 5_2_00453E22
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: EnumSystemLocalesW, 5_2_00453F08
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 5_2_00453F93
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003DBB20 CreateNamedPipeW,CreateFileW, 5_2_003DBB20
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_004372F4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 5_2_004372F4
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_003DA240 GetUserNameW,GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW, 5_2_003DA240
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\2c6HNWVywp.exe Code function: 5_2_00396BF0 RevokeBindStatusCallback, 5_2_00396BF0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1555001 Sample: 2c6HNWVywp.exe Startdate: 13/11/2024 Architecture: WINDOWS Score: 13 5 msiexec.exe 3 9 2->5         started        8 2c6HNWVywp.exe 40 2->8         started        file3 16 C:\Windows\Installer\MSIFF2E.tmp, PE32 5->16 dropped 18 C:\Windows\Installer\MSIFEFE.tmp, PE32 5->18 dropped 20 C:\Windows\Installer\MSIFECE.tmp, PE32 5->20 dropped 22 C:\Windows\Installer\MSIFE6F.tmp, PE32 5->22 dropped 10 msiexec.exe 5->10         started        12 msiexec.exe 5->12         started        24 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 8->24 dropped 26 C:\Users\user\AppData\Local\...\shiFAD5.tmp, PE32+ 8->26 dropped 28 C:\Users\user\AppData\Local\...\MSIFC10.tmp, PE32 8->28 dropped 30 C:\Users\user\AppData\Local\...\MSIFB63.tmp, PE32 8->30 dropped 14 msiexec.exe 5 8->14         started        process4
No contacted IP infos