Windows Analysis Report
setup.msi

Overview

General Information

Sample name: setup.msi
Analysis ID: 1579288
MD5: 2a680c15a6a3d07a5e4dce69c190f91c
SHA1: 73e7ac9d834f35c38712256f744c03471da90b68
SHA256: 38072285421b1dda58ca4d8f722346d3cdf32b43203ae6ec5254dcdc24546b65
Tags: msiuser-aachum
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Suricata IDS alerts for network traffic
AI detected suspicious sample
Bypasses PowerShell execution policy
Query firmware table information (likely to detect VMs)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Msiexec Initiated Connection
Sigma detected: Suspicious MsiExec Embedding Parent
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 93.1% probability
Source: C:\Windows\System32\msiexec.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9323EC13-B736-45ED-8845-7358C228FF45} Jump to behavior
Source: unknown HTTPS traffic detected: 172.67.164.25:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000008.00000000.2256663495.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000008.00000002.2264028169.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: setup.msi
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb2+' source: ImporterREDServer.exe, 0000000B.00000000.2263248130.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: setup.msi
Source: Binary string: ucrtbase.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: setup.msi, MSI55A1.tmp.1.dr, 68204f.msi.1.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: setup.msi, 68204f.msi.1.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: setup.msi, 68204f.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: setup.msi, 68204f.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: setup.msi, 68204f.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: setup.msi
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\dvacore\lib\win\release\64\dvacore.pdb source: ImporterREDServer.exe, 0000000B.00000002.2266818488.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: setup.msi, MSI55A1.tmp.1.dr, 68204f.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: setup.msi, 68204f.msi.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ImporterREDServer.exe, 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: setup.msi
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb source: ImporterREDServer.exe, 0000000B.00000000.2263248130.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: setup.msi
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000008.00000000.2256663495.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000008.00000002.2264028169.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: ImporterREDServer.exe, 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: ucrtbase.pdbUGP source: setup.msi, 68204f.msi.1.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: setup.msi, 68204f.msi.1.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B912A330 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn, 11_2_00007FF8B912A330

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.5:49704 -> 172.67.164.25:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: cubermo.com
Source: unknown HTTP traffic detected: POST /updater.php HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvancedInstallerHost: cubermo.comContent-Length: 71Cache-Control: no-cache
Source: setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 68204f.msi.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 68204f.msi.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: setup.msi, 68204f.msi.1.dr String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: powershell.exe, 00000004.00000002.2197381041.0000000000C98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro
Source: setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 68204f.msi.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: setup.msi, 68204f.msi.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: setup.msi, 68204f.msi.1.dr String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 68204f.msi.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 68204f.msi.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: setup.msi, 68204f.msi.1.dr String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0K
Source: setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 68204f.msi.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: powershell.exe, 00000004.00000002.2206830499.0000000005DCB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 68204f.msi.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0H
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0I
Source: setup.msi, 68204f.msi.1.dr String found in binary or memory: http://ocsp.digicert.com0K
Source: setup.msi, 68204f.msi.1.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 68204f.msi.1.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: powershell.exe, 00000004.00000002.2198351742.0000000004EB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: setup.msi, 68204f.msi.1.dr String found in binary or memory: http://schemas.mick
Source: powershell.exe, 00000004.00000002.2198351742.0000000004D61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2198351742.0000000004EB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 68204f.msi.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.dr String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ImporterREDServer.exe, 0000000B.00000002.2266818488.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.dr String found in binary or memory: http://xml.org/sax/features/external-general-entitieshttp://xml.org/sax/features/external-parameter-
Source: powershell.exe, 00000004.00000002.2198351742.0000000004D61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: setup.msi String found in binary or memory: https://aka.ms/winui2/webview2download/Reload():
Source: powershell.exe, 00000004.00000002.2206830499.0000000005DCB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.2206830499.0000000005DCB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.2206830499.0000000005DCB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: setup.msi, 68204f.msi.1.dr String found in binary or memory: https://cubermo.com/updater.phpx
Source: powershell.exe, 00000004.00000002.2198351742.0000000004EB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.2198351742.000000000558C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000004.00000002.2206830499.0000000005DCB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 68204f.msi.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown HTTPS traffic detected: 172.67.164.25:443 -> 192.168.2.5:49704 version: TLS 1.2
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\68204f.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI29D5.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2AD0.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2B0F.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2B3F.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2B8E.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2BCE.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2BFE.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI4A06.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{9323EC13-B736-45ED-8845-7358C228FF45} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI5590.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI55A1.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\682052.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\682052.msi Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe File created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.h Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe File created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI29D5.tmp Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00F5B518 4_2_00F5B518
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_0000000140012220 11_2_0000000140012220
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_0000000140008390 11_2_0000000140008390
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_0000000140007FC0 11_2_0000000140007FC0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B9142208 11_2_00007FF8B9142208
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B915A27C 11_2_00007FF8B915A27C
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B912F9B0 11_2_00007FF8B912F9B0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B915F9DA 11_2_00007FF8B915F9DA
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B9139460 11_2_00007FF8B9139460
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B9140C60 11_2_00007FF8B9140C60
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B9145470 11_2_00007FF8B9145470
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B9136440 11_2_00007FF8B9136440
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B9146C84 11_2_00007FF8B9146C84
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B91544E0 11_2_00007FF8B91544E0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B913BCD0 11_2_00007FF8B913BCD0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B9146338 11_2_00007FF8B9146338
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B9144340 11_2_00007FF8B9144340
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B913ABB0 11_2_00007FF8B913ABB0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B915B698 11_2_00007FF8B915B698
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B9152D70 11_2_00007FF8B9152D70
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B915BDA0 11_2_00007FF8B915BDA0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B91595A8 11_2_00007FF8B91595A8
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B913CDF0 11_2_00007FF8B913CDF0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B912D810 11_2_00007FF8B912D810
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B912E8B0 11_2_00007FF8B912E8B0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B9152880 11_2_00007FF8B9152880
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B91360D0 11_2_00007FF8B91360D0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B9143F00 11_2_00007FF8B9143F00
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B913DF10 11_2_00007FF8B913DF10
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B9140710 11_2_00007FF8B9140710
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B9138FB0 11_2_00007FF8B9138FB0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B912C780 11_2_00007FF8B912C780
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B9144780 11_2_00007FF8B9144780
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8BFB57508 11_2_00007FF8BFB57508
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: String function: 000000014000BC30 appears 53 times
PE file does not import any functions
Source: api-ms-win-core-handle-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-2-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: setup.msi Binary or memory string: OriginalFilenameAICustAct.dllF vs setup.msi
Source: setup.msi Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs setup.msi
Source: setup.msi Binary or memory string: OriginalFilenameDataUploader.dllF vs setup.msi
Source: setup.msi Binary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs setup.msi
Source: setup.msi Binary or memory string: OriginalFilenameucrtbase.dllj% vs setup.msi
Source: setup.msi Binary or memory string: OriginalFilenamevcruntime140.dllT vs setup.msi
Source: setup.msi Binary or memory string: OriginalFilenamemsvcp140.dllT vs setup.msi
Source: setup.msi Binary or memory string: OriginalFilenameMicrosoft.Web.WebView2.Core.dll vs setup.msi
Source: setup.msi Binary or memory string: OriginalFilenameMicrosoft.UI.Xaml.dllD vs setup.msi
Source: setup.msi Binary or memory string: OriginalFilenameembeddeduiproxy.dllF vs setup.msi
Source: dvacore.dll.1.dr Binary string: Win.FileUtils path: Throw file exception with last error (HRESULT): $$$/dvacore/utility/FileUtils_WIN/Unknown=Unknown$$$/dvacore/utility/FileUtils_WIN/Invalid=Invalid$$$/dvacore/utility/FileUtils_WIN/Removable=Removable$$$/dvacore/utility/FileUtils_WIN/Fixed=Local Disk$$$/dvacore/utility/FileUtils_WIN/Network=Network$$$/dvacore/utility/FileUtils_WIN/CDROM=CD-ROM$$$/dvacore/utility/FileUtils_WIN/RAMDisk=RAM Disk_:\Device\Floppy\\?\\\?\UNC (error Unable to delete \/.\\127.0.0.1xt4
Source: classification engine Classification label: mal68.evad.winMSI@18/94@1/1
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_0000000140010BE0 GetLastError,FormatMessageA, 11_2_0000000140010BE0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B912A7B0 GetDiskFreeSpaceExW,_invalid_parameter_noinfo_noreturn, 11_2_00007FF8B912A7B0
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Microsoft\CML6017.tmp Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2148:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5404:120:WilError_03
Source: C:\Windows\System32\wbem\WMIADAP.exe Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
Source: C:\Windows\System32\wbem\WMIADAP.exe Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
Source: C:\Windows\System32\wbem\WMIADAP.exe Mutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
Source: C:\Windows\System32\wbem\WMIADAP.exe Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4448:120:WilError_03
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\TEMP\~DF518574BEBB17DA44.TMP Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""
Source: C:\Windows\SysWOW64\msiexec.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload Jump to behavior
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CFC4A735AC50180D686C8F7014EE44E3
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss55F9.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi55F6.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr55F7.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr55F8.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""
Source: C:\Windows\System32\msiexec.exe Process created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe"
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CFC4A735AC50180D686C8F7014EE44E3 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe"" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss55F9.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi55F6.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr55F7.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr55F8.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Section loaded: dvacore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Section loaded: libzip.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Section loaded: boost_system.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Section loaded: boost_date_time.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Section loaded: boost_threads.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Section loaded: boost_filesystem.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Section loaded: dvaunittesting.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Section loaded: utest.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe Section loaded: loadperf.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe File written: C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9323EC13-B736-45ED-8845-7358C228FF45} Jump to behavior
Source: setup.msi Static file information: File size 60336332 > 1048576
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000008.00000000.2256663495.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000008.00000002.2264028169.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: setup.msi
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb2+' source: ImporterREDServer.exe, 0000000B.00000000.2263248130.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: setup.msi
Source: Binary string: ucrtbase.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: setup.msi, MSI55A1.tmp.1.dr, 68204f.msi.1.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: setup.msi, 68204f.msi.1.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: setup.msi, 68204f.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: setup.msi, 68204f.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: setup.msi, 68204f.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: setup.msi
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\dvacore\lib\win\release\64\dvacore.pdb source: ImporterREDServer.exe, 0000000B.00000002.2266818488.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: setup.msi, MSI55A1.tmp.1.dr, 68204f.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: setup.msi, 68204f.msi.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ImporterREDServer.exe, 0000000B.00000002.2267314345.00007FF8BFB62000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: setup.msi
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb source: ImporterREDServer.exe, 0000000B.00000000.2263248130.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000B.00000002.2265723786.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: setup.msi
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000008.00000000.2256663495.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000008.00000002.2264028169.00007FF7482B8000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: ImporterREDServer.exe, 0000000B.00000002.2267141137.00007FF8B9176000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: ucrtbase.pdbUGP source: setup.msi, 68204f.msi.1.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: setup.msi, 68204f.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: setup.msi, 68204f.msi.1.dr
Binary contains a suspicious time stamp
Source: api-ms-win-core-synch-l1-2-0.dll.1.dr Static PE information: 0x8A188CB0 [Tue Jun 2 13:31:28 2043 UTC]
PE file contains sections with non-standard names
Source: vcruntime140.dll.1.dr Static PE information: section name: _RDATA
Source: UnRar.exe.1.dr Static PE information: section name: _RDATA
Source: BCUninstaller.exe.1.dr Static PE information: section name: _RDATA
Source: createdump.exe.1.dr Static PE information: section name: _RDATA
Source: MSI55A1.tmp.1.dr Static PE information: section name: .fptable
Source: MSI29D5.tmp.1.dr Static PE information: section name: .fptable
Source: MSI2AD0.tmp.1.dr Static PE information: section name: .fptable
Source: MSI2B0F.tmp.1.dr Static PE information: section name: .fptable
Source: MSI2B3F.tmp.1.dr Static PE information: section name: .fptable
Source: MSI2B8E.tmp.1.dr Static PE information: section name: .fptable
Source: MSI2BCE.tmp.1.dr Static PE information: section name: .fptable
Source: MSI2BFE.tmp.1.dr Static PE information: section name: .fptable
Source: MSI4A06.tmp.1.dr Static PE information: section name: .fptable
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00F50A90 push FFFFFFE9h; retf 4_2_00F50AA9
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvaunittesting.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_threads.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2B8E.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_date_time.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_filesystem.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI4A06.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\utest.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2B3F.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140_1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2AD0.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2B0F.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI55A1.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_program_options.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-2-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2BFE.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\msvcp140.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2BCE.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvacore.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_system.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_regex.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI29D5.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2BFE.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2AD0.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2BCE.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2B0F.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI4A06.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI55A1.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2B8E.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI29D5.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2B3F.tmp Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B915C0C0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 11_2_00007FF8B915C0C0
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\SysWOW64\msiexec.exe System information queried: FirmwareTableInformation Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4005 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1706 Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe Window / User API: threadDelayed 1655 Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe Window / User API: threadDelayed 2074 Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe Window / User API: threadDelayed 1054 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI2AD0.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI2B0F.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI55A1.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI2B8E.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_program_options.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-2-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI2BFE.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI2BCE.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI4A06.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_regex.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI29D5.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI2B3F.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe API coverage: 8.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2684 Thread sleep count: 4005 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5376 Thread sleep count: 1706 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4676 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6132 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 7056 Thread sleep count: 1655 > 30 Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 7056 Thread sleep count: 2074 > 30 Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 7056 Thread sleep count: 1054 > 30 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B912A330 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn, 11_2_00007FF8B912A330
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: 68204f.msi.1.dr Binary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe Code function: 8_2_00007FF7482B2ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00007FF7482B2ECC
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe"" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe Code function: 8_2_00007FF7482B2984 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00007FF7482B2984
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe Code function: 8_2_00007FF7482B3074 SetUnhandledExceptionFilter, 8_2_00007FF7482B3074
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe Code function: 8_2_00007FF7482B2ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00007FF7482B2ECC
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_0000000140011004 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_0000000140011004
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_0000000140011D78 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_0000000140011D78
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_0000000140011F24 SetUnhandledExceptionFilter, 11_2_0000000140011F24
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8B9172CDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_00007FF8B9172CDC
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: 11_2_00007FF8BFB6004C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_00007FF8BFB6004C

HIPS / PFW / Operating System Protection Evasion
barindex
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss55F9.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi55F6.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr55F7.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr55F8.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss55F9.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi55F6.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr55F7.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr55F8.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss55f9.ps1" -propfile "c:\users\user\appdata\local\temp\msi55f6.txt" -scriptfile "c:\users\user\appdata\local\temp\scr55f7.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr55f8.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss55f9.ps1" -propfile "c:\users\user\appdata\local\temp\msi55f6.txt" -scriptfile "c:\users\user\appdata\local\temp\scr55f7.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr55f8.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue." Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe Code function: ___lc_locale_name_func,GetLocaleInfoEx, 11_2_00007FF8B914EFC0
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe Code function: 8_2_00007FF7482B2DA0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 8_2_00007FF7482B2DA0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579288 Sample: setup.msi Startdate: 21/12/2024 Architecture: WINDOWS Score: 68 51 cubermo.com 2->51 59 Suricata IDS alerts for network traffic 2->59 61 AI detected suspicious sample 2->61 63 Sigma detected: Suspicious Script Execution From Temp Folder 2->63 65 Sigma detected: Script Interpreter Execution From Suspicious Folder 2->65 9 msiexec.exe 139 107 2->9         started        12 msiexec.exe 2 2->12         started        signatures3 process4 file5 37 C:\Windows\Installer\MSI55A1.tmp, PE32 9->37 dropped 39 C:\Windows\Installer\MSI4A06.tmp, PE32 9->39 dropped 41 C:\Windows\Installer\MSI2BFE.tmp, PE32 9->41 dropped 43 52 other files (none is malicious) 9->43 dropped 14 msiexec.exe 14 9->14         started        19 cmd.exe 1 9->19         started        21 createdump.exe 1 9->21         started        process6 dnsIp7 53 cubermo.com 172.67.164.25, 443, 49704 CLOUDFLARENETUS United States 14->53 45 C:\Users\user\AppData\Local\...\scr55F7.ps1, Unicode 14->45 dropped 47 C:\Users\user\AppData\Local\...\pss55F9.ps1, Unicode 14->47 dropped 49 C:\Users\user\AppData\Local\...\msi55F6.txt, Unicode 14->49 dropped 55 Query firmware table information (likely to detect VMs) 14->55 57 Bypasses PowerShell execution policy 14->57 23 powershell.exe 17 14->23         started        25 WMIADAP.exe 4 14->25         started        27 ImporterREDServer.exe 1 19->27         started        29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        file8 signatures9 process10 process11 33 conhost.exe 23->33         started        35 conhost.exe 27->35         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.164.25
 cubermo.com United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
cubermo.com 172.67.164.25 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://cubermo.com/updater.php true
    		unknown