Edit tour

Windows Analysis Report
EasyLogUSB+Installer.exe

Overview

General Information

Sample name:	EasyLogUSB+Installer.exe
Analysis ID:	1501387
MD5:	d3d4273692e34102b88c513ad1c10040
SHA1:	1b75e5c2644fbf075040df437b15d4d2c128c2cf
SHA256:	cc2652dc33020fab609750a6f627e2f8e6597960b25f210981e62f5ad92f7d70
Infos:

Detection

Score:	6
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Compliance

Score:	45
Range:	0 - 100

Signatures

Checks for available system drives (often done to infect USB drives)

Creates driver files

Creates files inside the system directory

Deletes files inside the Windows folder

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

Launches processes in debugging mode, may be used to hinder debugging

Queries the volume information (name, serial number etc) of a device

Sigma detected: Suspicious Execution From GUID Like Folder Names

Stores files to the Windows start menu directory

Uses 32bit PE files

Classification

Process Tree

System is w10x64_ra

EasyLogUSB+Installer.exe (PID: 7056 cmdline: "C:\Users\user\Desktop\EasyLogUSB+Installer.exe" MD5: D3D4273692E34102B88C513AD1C10040)

msiexec.exe (PID: 6372 cmdline: "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\user\AppData\Local\Temp\{0D022C78-2169-466B-A31C-8D092A6A94A4}\EasyLog USB.msi" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="EasyLogUSB+Installer.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 6328 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 6204 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 7728979BC62DF75D3D4A0D670E15253D C MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 5708 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 8679B04C71729C7D188454F6AA437A24 MD5: 9D09DC1EDA745A5F87553048E57620CF)

EL-USB Driver Setup.exe (PID: 1548 cmdline: "C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe" MD5: 4BD3D58BEB869D0895D93ACCADC08032)

cleanup

Sigma Signatures

Sigma detected: Suspicious Execution From GUID Like Folder Names

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\user\AppData\Local\Temp\{0D022C78-2169-466B-A31C-8D092A6A94A4}\EasyLog USB.msi" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="EasyLogUSB+Installer.exe", CommandLine: "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\user\AppData\Local\Temp\{0D022C78-2169-466B-A31C-8D092A6A94A4}\EasyLog USB.msi" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="EasyLogUSB+Installer.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msiexec.exe, NewProcessName: C:\Windows\SysWOW64\msiexec.exe, OriginalFileName: C:\Windows\SysWOW64\msiexec.exe, ParentCommandLine: "C:\Users\user\Desktop\EasyLogUSB+Installer.exe", ParentImage: C:\Users\user\Desktop\EasyLogUSB+Installer.exe, ParentProcessId: 7056, ParentProcessName: EasyLogUSB+Installer.exe, ProcessCommandLine: "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\user\AppData\Local\Temp\{0D022C78-2169-466B-A31C-8D092A6A94A4}\EasyLog USB.msi" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="EasyLogUSB+Installer.exe", ProcessId: 6372, ProcessName: msiexec.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Compliance

Uses 32bit PE files

Source: EasyLogUSB+Installer.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

PE / OLE file has a valid certificate

Source: EasyLogUSB+Installer.exe

Static PE information: certificate valid

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Windows\System32\msiexec.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

System Summary

Creates driver files

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\EasyLog USB\x86\SiLib.sys

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3a61ad.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI647C.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6539.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\SiUSBXp.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\ARPPRODUCTICON.exe
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\EasyLog_USB.exe_63257A9301FB4EABA085D3C69F470EC4.exe
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\EasyLogGraph.exe_3D39C605F6D0484A88F3AD4B82B13993.exe
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3a61af.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3a61af.msi

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI647C.tmp

Uses 32bit PE files

Source: EasyLogUSB+Installer.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean6.winEXE@10/45@0/0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\EasyLog USB

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\Public\Desktop\EasyLog USB.lnk

Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe

File created: C:\Users\user\AppData\Local\Temp\{0D022C78-2169-466B-A31C-8D092A6A94A4}\

Source: EasyLogUSB+Installer.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe

File read: C:\Users\user\AppData\Local\Temp\{0D022C78-2169-466B-A31C-8D092A6A94A4}\Setup.INI

Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe

File read: C:\Users\user\Desktop\EasyLogUSB+Installer.exe

Source: unknown	Process created: C:\Users\user\Desktop\EasyLogUSB+Installer.exe "C:\Users\user\Desktop\EasyLogUSB+Installer.exe"
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\user\AppData\Local\Temp\{0D022C78-2169-466B-A31C-8D092A6A94A4}\EasyLog USB.msi" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="EasyLogUSB+Installer.exe"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7728979BC62DF75D3D4A0D670E15253D C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8679B04C71729C7D188454F6AA437A24
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe "C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe"
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\user\AppData\Local\Temp\{0D022C78-2169-466B-A31C-8D092A6A94A4}\EasyLog USB.msi" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="EasyLogUSB+Installer.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7728979BC62DF75D3D4A0D670E15253D C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8679B04C71729C7D188454F6AA437A24
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe "C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe"

Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: msi.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msihnd.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: oleacc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: riched20.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: usp10.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: linkinfo.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntshrui.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: acgenral.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: samcli.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: aclayers.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: sfc.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: sfc_os.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: textshaping.dll

Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe

File written: C:\Users\user\AppData\Local\Temp\{0D022C78-2169-466B-A31C-8D092A6A94A4}\Setup.INI

PE / OLE file has a valid certificate

Source: EasyLogUSB+Installer.exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: EasyLogUSB+Installer.exe

Static file information: File size 19500624 > 1048576

PE file contains a debug data directory

Source: EasyLogUSB+Installer.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Persistence and Installation Behavior

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\EasyLog USB\ExportToExcel.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\EasyLog USB\EasyLog USB.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\SiUSBXp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI647C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\EasyLogGraph.exe_3D39C605F6D0484A88F3AD4B82B13993.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI478F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\EasyLog USB\x86\SiLib.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\EasyLog USB\x64\SiUSBXp.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\EasyLog USB\x86\SiUSBXp.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\EasyLog USB\EasyLogGraph.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\EasyLog_USB.exe_63257A9301FB4EABA085D3C69F470EC4.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\EasyLog USB\x64\SiLib.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\EasyLog USB\CustomControls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\EasyLog USB\WPFToolkit.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\SiUSBXp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI647C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\EasyLogGraph.exe_3D39C605F6D0484A88F3AD4B82B13993.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\EasyLog_USB.exe_63257A9301FB4EABA085D3C69F470EC4.exe	Jump to dropped file

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EasyLog USB
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EasyLog USB\EasyLog USB.lnk
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EasyLog USB\EasyLogGraph.lnk

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\EasyLog USB\ExportToExcel.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\EasyLog USB\EasyLog USB.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\SiUSBXp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI647C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\EasyLogGraph.exe_3D39C605F6D0484A88F3AD4B82B13993.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI478F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\EasyLog USB\x86\SiLib.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\EasyLog USB\x64\SiUSBXp.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\EasyLog USB\x86\SiUSBXp.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\EasyLog USB\EasyLogGraph.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\EasyLog_USB.exe_63257A9301FB4EABA085D3C69F470EC4.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\EasyLog USB\x64\SiLib.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\EasyLog USB\CustomControls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\EasyLog USB\WPFToolkit.dll	Jump to dropped file

Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Anti Debugging

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe "C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe"

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	Windows Management Instrumentation	1 Windows Service	1 Windows Service	22 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Process Injection	1 Disable or Modify Tools	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	1 Process Injection	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Source	Detection	Scanner	Label	Link
EasyLogUSB+Installer.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\EasyLog USB\CustomControls.dll	0%	ReversingLabs
C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	0%	ReversingLabs
C:\Program Files (x86)\EasyLog USB\EasyLog USB.exe	0%	ReversingLabs
C:\Program Files (x86)\EasyLog USB\EasyLogGraph.exe	0%	ReversingLabs
C:\Program Files (x86)\EasyLog USB\ExportToExcel.dll	0%	ReversingLabs
C:\Program Files (x86)\EasyLog USB\WPFToolkit.dll	0%	ReversingLabs
C:\Program Files (x86)\EasyLog USB\x64\SiLib.sys	0%	ReversingLabs
C:\Program Files (x86)\EasyLog USB\x64\SiUSBXp.sys	0%	ReversingLabs
C:\Program Files (x86)\EasyLog USB\x86\SiLib.sys	0%	ReversingLabs
C:\Program Files (x86)\EasyLog USB\x86\SiUSBXp.sys	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI478F.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI647C.tmp	0%	ReversingLabs
C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\ARPPRODUCTICON.exe	0%	ReversingLabs
C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\EasyLogGraph.exe_3D39C605F6D0484A88F3AD4B82B13993.exe	0%	ReversingLabs
C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\EasyLog_USB.exe_63257A9301FB4EABA085D3C69F470EC4.exe	0%	ReversingLabs
C:\Windows\SysWOW64\SiUSBXp.dll	0%	ReversingLabs

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501387
Start date and time:	2024-08-29 20:47:16 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	EasyLogUSB+Installer.exe
Detection:	CLEAN
Classification:	clean6.winEXE@10/45@0/0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, login.live.com, settings-win.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: EasyLogUSB+Installer.exe

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	14060
Entropy (8bit):	5.731046015041822
Encrypted:	false
SSDEEP:
MD5:	38C8EFB5F66D923D228E69BA8B8F6D12
SHA1:	4916C3E27FEA40547FE6D94E0F092E4269F29C1C
SHA-256:	771AE6B0FB5CBB29D017DB86522025C1BFA3541860E1CC8FD4E731C916ADA19E
SHA-512:	5468CFFD6522CBAE57C6B6E65DE8E85D9FE013386BA28832EFCC4539F1565AD4383E5D88C31C59A9BE7DF9A1D87F71C9B8D7465C38BA7BF9E953412EDCF22247
Malicious:	false
Reputation:	unknown
Preview:	...@IXOS.@.....@.v.Y.@.....@.....@.....@.....@.....@......&.{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}..EasyLog USB..EasyLog USB.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{8C7E2C80-4C6F-4A5C-9FDD-5AA316A9E29A}.....@.....@.....@.....@.......@.....@.....@.......@......EasyLog USB......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{429FE619-EEB7-4E48-AF7A-4F56DD1C7491}&.{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}.@......&.{1D213698-CDE4-4051-B5BD-2BBDFE318583}&.{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}.@......&.{B2ECCF77-395E-4A26-A4BF-5EC89425F03F}&.{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}.@......&.{AFECBE12-FD2C-45CC-80F8-C71798C38400}&.{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}.@......&.{A058DD12-721A-4A06-81C5-933F86CBD9A8}&.{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}.@......&.{C7CB0A68-EC59-41D8-B200-84E9EA2E80DD}&.{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}.@......&.{782F7E0F-9847-4B86-B5B0-33A2239F1B52}&

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	205
Entropy (8bit):	5.239236705496828
Encrypted:	false
SSDEEP:
MD5:	52E37704F6B2D0A60914D4FC33BB8392
SHA1:	865DE5AD56B952BC6A55A44A9B25C5982B08856D
SHA-256:	80D350EEFE5A06D8D5939421EA8AA11227E1CB7531405D44D236F7C520BD1D26
SHA-512:	19EBDD5C7765B6C4CF3F10B76550679345B51F0C38C6081DC9B8F6DE1ADD700F7124A8CF7CB948FB6E494DA607677A646ADDE50E6C748C41526DE6B698425215
Malicious:	false
Reputation:	unknown
Preview:	[DLL1]..Return=void..Module=user32.dll..Func=MessageBoxA..Arg0=in,MsiWindowHandle,NUMBER..Arg1=in,[MESSAGEPROP],STRING..Arg2=in,[CAPTIONPROP],STRING..Arg3=in,1,NUMBER..Silent=Yes..Source=Local,user32.dll..

Process:	C:\Users\user\Desktop\EasyLogUSB+Installer.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (308), with CRLF line terminators
Category:	dropped
Size (bytes):	22480
Entropy (8bit):	3.4851320007899904
Encrypted:	false
SSDEEP:
MD5:	A108F0030A2CDA00405281014F897241
SHA1:	D112325FA45664272B08EF5E8FF8C85382EBB991
SHA-256:	8B76DF0FFC9A226B532B60936765B852B89780C6E475C152F7C320E085E43948
SHA-512:	D83894B039316C38915A789920758664257680DCB549A9B740CF5361ADDBEE4D4A96A3FF2999B5D8ACFB1D9336DA055EC20012D29A9F83EE5459F103FBEEC298
Malicious:	false
Reputation:	unknown
Preview:	..[.0.x.0.4.0.9.].....1.1.0.0.=.S.e.t.u.p. .I.n.i.t.i.a.l.i.z.a.t.i.o.n. .E.r.r.o.r.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. .S.e.t.u.p. .i.s. .p.r.e.p.a.r.i.n.g. .t.h.e. .%.2.,. .w.h.i.c.h. .w.i.l.l. .g.u.i.d.e. .y.o.u. .t.h.r.o.u.g.h. .t.h.e. .p.r.o.g.r.a.m. .s.e.t.u.p. .p.r.o.c.e.s.s... . .P.l.e.a.s.e. .w.a.i.t.......1.1.0.3.=.C.h.e.c.k.i.n.g. .O.p.e.r.a.t.i.n.g. .S.y.s.t.e.m. .V.e.r.s.i.o.n.....1.1.0.4.=.C.h.e.c.k.i.n.g. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. .V.e.r.s.i.o.n.....1.1.0.5.=.C.o.n.f.i.g.u.r.i.n.g. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.C.o.n.f.i.g.u.r.i.n.g. .%.s.....1.1.0.7.=.S.e.t.u.p. .h.a.s. .c.o.m.p.l.e.t.e.d. .c.o.n.f.i.g.u.r.i.n.g. .t.h.e. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .o.n. .y.o.u.r. .s.y.s.t.e.m... .T.h.e. .s.y.s.t.e.m. .n.e.e.d.s. .t.o. .b.e. .r.e.s.t.a.r.t.e.d. .i.n. .o.r.d.e.r. .t.o. .c.o.n.t.i.n.u.e. .w.i.t.h. .t.h.e. .i.n.s.t.a.l.l.a.t.i.o.n... .P.l.e.a.s.e. .c.l.i.c.k. .R.e.s.t.a.r.t. .t.o. .r.e.b.o.o.t. .t.h.e. .s.y.s.t.e.m.......1.1.0.8.

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.982918880423008
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	EasyLogUSB+Installer.exe
File size:	19'500'624 bytes
MD5:	d3d4273692e34102b88c513ad1c10040
SHA1:	1b75e5c2644fbf075040df437b15d4d2c128c2cf
SHA256:	cc2652dc33020fab609750a6f627e2f8e6597960b25f210981e62f5ad92f7d70
SHA512:	94ea2dedb53887a40b4995536211d94247b3bd9994e0b3888eedffa52a20b4cd500a4da86f110a7a203ba2802b011d29c349774df8d4bea5ea3237f216e1157b
SSDEEP:	393216:BhQWQwqV7x2GH3mm+xaYzY4VGHxfwzXUxnIbG1vrMd:Bjqd9WJaYz7GRfwLUxnIbcYd
TLSH:	49172323B581903ED5A102328C6FAD7081A97EB35E31465BF698FF1D1DF48827927F1A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........wn.............................M.......M...7...@a......M.......@a..........!...................................Rich...........

Entrypoint:	0x4575cc
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x57B8A2BE [Sat Aug 20 18:34:38 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	4da036c357ba9b57ad512acda2ab8f70

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	25/01/2022 01:00:00 24/01/2023 00:59:59
Subject Chain	CN=Lascar Electronics Ltd., O=Lascar Electronics Ltd., L=Salisbury, C=GB
Version:	3
Thumbprint MD5:	B656567D8713E66AE810DFDEF09BAA4E
Thumbprint SHA-1:	E120C7DAC8262B2FC234FFDD7FEF64DB785FF6E4
Thumbprint SHA-256:	470E7DEBE4EF2ED0668130574D9D743A3146EC84E67B32537A42A506442399B0
Serial:	0129746216985DDDF8A35EE9CD1C24B9

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe963c	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf5000	0x4cc9c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1296130	0x2d20
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb5680	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xcec40	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb5000	0x584	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xe8cf0	0xe0	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb3145	0xb3200	3c5019b481b36b50861c003b927571fe	False	0.4942537508722959	data	6.587897407968807	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xb5000	0x363a2	0x36400	9ccda080685d04b6d39abf90df4ddb2e	False	0.4168391777073733	data	5.111602563063982	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xec000	0x8c38	0x2800	ac1123bbcdd1c65593b571a2c4af0630	False	0.29013671875	data	4.4690563880861	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xf5000	0x4cc9c	0x4ce00	4266bd2112a8e5f29d2d02ae8b566503	False	0.33817962398373985	data	6.561419459411344	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
GIF	0xf5dcc	0x33a7	GIF image data, version 89a, 350 x 624			0.9106859260379642
GIF	0xf9174	0x339f	GIF image data, version 89a, 350 x 624	English	United States	0.9129020052970109
PNG	0xfc514	0x39ed	PNG image data, 360 x 150, 8-bit/color RGBA, non-interlaced			0.9975723244992919
PNG	0xfff04	0x2fc9	PNG image data, 240 x 227, 8-bit/color RGBA, non-interlaced			0.9968119022316685
RT_BITMAP	0x102ed0	0x14220	Device independent bitmap graphic, 220 x 370 x 8, image size 81400			0.34390764454792394
RT_BITMAP	0x1170f0	0x1b5c	Device independent bitmap graphic, 180 x 75 x 4, image size 6900			0.18046830382638493
RT_BITMAP	0x118c4c	0x38e4	Device independent bitmap graphic, 180 x 75 x 8, image size 13500			0.26689096402087337
RT_BITMAP	0x11c530	0x1238	Device independent bitmap graphic, 60 x 60 x 8, image size 3600			0.23499142367066894
RT_BITMAP	0x11d768	0x6588	Device independent bitmap graphic, 161 x 152 x 8, image size 24928, resolution 3796 x 3796 px/m, 256 important colors			0.3035934133579563
RT_BITMAP	0x123cf0	0x11f88	Device independent bitmap graphic, 161 x 152 x 24, image size 73568, resolution 3780 x 3780 px/m			0.12790729268557766
RT_ICON	0x135c78	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024			0.21808510638297873
RT_ICON	0x1360e0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096			0.099906191369606
RT_ICON	0x137188	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216			0.06109958506224066
RT_ICON	0x139730	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.35618279569892475
RT_ICON	0x139a18	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.42473118279569894
RT_DIALOG	0x139d00	0x1ce	data			0.48917748917748916
RT_DIALOG	0x139ed0	0x266	data			0.4527687296416938
RT_DIALOG	0x13a138	0x2b0	data			0.438953488372093
RT_DIALOG	0x13a3e8	0x54	data			0.6904761904761905
RT_DIALOG	0x13a43c	0x34	data			0.8846153846153846
RT_DIALOG	0x13a470	0xd6	data			0.6495327102803738
RT_DIALOG	0x13a548	0x114	data			0.5036231884057971
RT_DIALOG	0x13a65c	0xd6	data			0.5841121495327103
RT_DIALOG	0x13a734	0x246	data			0.4690721649484536
RT_DIALOG	0x13a97c	0x3c8	data			0.4194214876033058
RT_DIALOG	0x13ad44	0x14e	data			0.5359281437125748
RT_DIALOG	0x13ae94	0x1e8	data			0.49385245901639346
RT_DIALOG	0x13b07c	0x1c6	data			0.5286343612334802
RT_DIALOG	0x13b244	0x1ee	data			0.49190283400809715
RT_DIALOG	0x13b434	0x7c	data			0.7580645161290323
RT_DIALOG	0x13b4b0	0x3bc	data			0.4372384937238494
RT_DIALOG	0x13b86c	0x158	data			0.5581395348837209
RT_DIALOG	0x13b9c4	0x1da	data			0.5168776371308017
RT_DIALOG	0x13bba0	0x10a	data			0.6015037593984962
RT_DIALOG	0x13bcac	0xde	data			0.6441441441441441
RT_DIALOG	0x13bd8c	0x1d4	data			0.5085470085470085
RT_DIALOG	0x13bf60	0x1dc	data			0.5210084033613446
RT_DIALOG	0x13c13c	0x294	data			0.48787878787878786
RT_STRING	0x13c3d0	0x160	data	English	United States	0.5340909090909091
RT_STRING	0x13c530	0x23e	data	English	United States	0.40418118466898956
RT_STRING	0x13c770	0x378	data	English	United States	0.4222972972972973
RT_STRING	0x13cae8	0x252	data	English	United States	0.4393939393939394
RT_STRING	0x13cd3c	0x1f4	data	English	United States	0.442
RT_STRING	0x13cf30	0x66a	data	English	United States	0.3617539585870889
RT_STRING	0x13d59c	0x366	data	English	United States	0.41379310344827586
RT_STRING	0x13d904	0x27e	data	English	United States	0.4561128526645768
RT_STRING	0x13db84	0x518	data	English	United States	0.39800613496932513
RT_STRING	0x13e09c	0x882	data	English	United States	0.3002754820936639
RT_STRING	0x13e920	0x23e	data	English	United States	0.45121951219512196
RT_STRING	0x13eb60	0x3ba	data	English	United States	0.3280922431865828
RT_STRING	0x13ef1c	0x12c	data	English	United States	0.5266666666666666
RT_STRING	0x13f048	0x4a	data	English	United States	0.6756756756756757
RT_STRING	0x13f094	0xda	data	English	United States	0.6100917431192661
RT_STRING	0x13f170	0x110	data	English	United States	0.5845588235294118
RT_STRING	0x13f280	0x20a	data	English	United States	0.4521072796934866
RT_STRING	0x13f48c	0xba	Matlab v4 mat-file (little endian) P, numeric, rows 0, columns 0	English	United States	0.5860215053763441
RT_STRING	0x13f548	0xa8	data	English	United States	0.6607142857142857
RT_STRING	0x13f5f0	0x12a	data	English	United States	0.5201342281879194
RT_STRING	0x13f71c	0x422	data	English	United States	0.2741020793950851
RT_STRING	0x13fb40	0x5c2	data	English	United States	0.37720488466757124
RT_STRING	0x140104	0x40	data	English	United States	0.671875
RT_STRING	0x140144	0xcaa	data	English	United States	0.2313386798272671
RT_STRING	0x140df0	0x284	data	English	United States	0.4363354037267081
RT_GROUP_ICON	0x141074	0x30	data			0.8125
RT_GROUP_ICON	0x1410a4	0x14	data			1.25
RT_GROUP_ICON	0x1410b8	0x14	data			1.2
RT_VERSION	0x1410cc	0x424	data			0.4349056603773585
RT_MANIFEST	0x1414f0	0x52a	XML 1.0 document, ASCII text, with CRLF line terminators			0.46520423600605143
RT_MANIFEST	0x141a1c	0x280	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.553125

DLL	Import
COMCTL32.dll
KERNEL32.dll	LoadLibraryW, lstrcmpW, lstrcmpiW, GetSystemDefaultLangID, GetUserDefaultLangID, VerLanguageNameW, CompareFileTime, CreateDirectoryW, FindClose, FindFirstFileW, FindNextFileW, SetFileAttributesW, GetSystemTimeAsFileTime, GetPrivateProfileStringW, MoveFileW, LocalFree, FormatMessageW, GetSystemInfo, MulDiv, RaiseException, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LoadLibraryExW, GetVersion, GetLocalTime, IsValidLocale, GetCommandLineW, GetFileAttributesW, GlobalAlloc, GlobalFree, FlushFileBuffers, SetEndOfFile, VirtualQuery, lstrcpyA, IsBadReadPtr, GetDiskFreeSpaceExW, GetDriveTypeW, GetExitCodeProcess, GetCurrentThread, GetLocaleInfoW, InterlockedExchange, LoadLibraryExA, DecodePointer, LCMapStringW, RtlUnwind, IsDebuggerPresent, MoveFileExW, WriteProcessMemory, VirtualProtectEx, GetSystemDirectoryW, FreeLibrary, SetThreadContext, GetThreadContext, CreateProcessW, ResumeThread, TerminateProcess, ExitProcess, GetCurrentProcess, Sleep, WaitForSingleObject, DuplicateHandle, RemoveDirectoryW, DeleteFileW, SetCurrentDirectoryW, lstrlenW, lstrcpynA, LocalAlloc, lstrcmpA, SystemTimeToFileTime, ResetEvent, SetEvent, Process32NextW, Process32FirstW, CreateToolhelp32Snapshot, GetCurrentDirectoryW, FindResourceExW, GetEnvironmentVariableW, SetFileTime, GetFileTime, OpenProcess, GetProcessTimes, ReadConsoleW, WriteConsoleW, SetStdHandle, SetFilePointerEx, GetConsoleMode, GetConsoleCP, FatalAppExitA, EnumSystemLocalesW, GetUserDefaultLCID, GetTimeFormatW, GetDateFormatW, SetConsoleCtrlHandler, OutputDebugStringW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCurrentProcessId, QueryPerformanceCounter, GetFileType, HeapReAlloc, CreateSemaphoreW, GetStartupInfoW, TlsFree, TlsSetValue, IsProcessorFeaturePresent, CompareStringA, CompareStringW, lstrcatW, GetVersionExW, InterlockedDecrement, InterlockedIncrement, CreateEventW, QueryPerformanceFrequency, GetTempFileNameW, CopyFileW, GetTickCount, GetExitCodeThread, CreateThread, FindResourceW, GlobalUnlock, GlobalLock, SizeofResource, LockResource, LoadResource, lstrcpyW, GetWindowsDirectoryW, SetErrorMode, GetTempPathW, FlushInstructionCache, ExpandEnvironmentStringsW, lstrcpynW, GetModuleFileNameW, GetProcessHeap, HeapFree, HeapAlloc, WriteFile, SetFilePointer, ReadFile, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, CloseHandle, GetFileSize, CreateFileW, SetLastError, GetLastError, LoadLibraryA, GetSystemDirectoryA, GetProcAddress, GetModuleHandleW, TlsGetValue, TlsAlloc, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetStringTypeW, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, GetCurrentThreadId, HeapSize, AreFileApisANSI, GetModuleHandleExW, GetStdHandle, EncodePointer
USER32.dll	CreateWindowExW, SetTimer, KillTimer, LoadCursorW, RegisterClassW, DefWindowProcW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, PostQuitMessage, GetSysColorBrush, CharPrevW, SendDlgItemMessageW, wvsprintfW, LoadImageW, CreateDialogParamW, MoveWindow, SetCursor, GetWindow, GetDlgItemTextW, SetFocus, EnableWindow, SetForegroundWindow, SetActiveWindow, SetDlgItemTextW, IsDialogMessageW, FindWindowW, SubtractRect, IntersectRect, SetRect, FillRect, GetSysColor, GetWindowRect, GetDC, GetSystemMetrics, GetDlgCtrlID, CreateDialogIndirectParamW, DestroyWindow, IsWindow, SendMessageW, MessageBoxW, CharNextW, WaitForInputIdle, SetWindowLongW, GetWindowLongW, GetClientRect, EndPaint, BeginPaint, ReleaseDC, ExitWindowsEx, CharUpperW, GetWindowDC, SetWindowPos, SetWindowTextW, GetDlgItem, EndDialog, DialogBoxIndirectParamW, ShowWindow, GetDesktopWindow, MsgWaitForMultipleObjects, PeekMessageW, wsprintfW, LoadIconW
GDI32.dll	UnrealizeObject, CreateHalftonePalette, GetDIBColorTable, SelectPalette, RealizePalette, GetSystemPaletteEntries, CreatePalette, CreateFontW, GetObjectW, SetTextColor, SetBkMode, GetDeviceCaps, CreateSolidBrush, CreateFontIndirectW, SetStretchBltMode, StretchBlt, SelectObject, DeleteDC, CreateDIBitmap, CreateCompatibleDC, BitBlt, DeleteObject, GetStockObject, TranslateCharsetInfo
ADVAPI32.dll	CryptCreateHash, CryptSignHashW, GetTokenInformation, FreeSid, EqualSid, AllocateAndInitializeSid, OpenThreadToken, OpenProcessToken, SetEntriesInAclW, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, CreateWellKnownSid, RegQueryInfoKeyW, RegEnumKeyExW, RegDeleteKeyW, RegSetValueExW, RegEnumValueW, RegCreateKeyExW, RegDeleteValueW, RegQueryValueExW, RegOpenKeyExW, RegCloseKey, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOverridePredefKey, RegCreateKeyW, RegEnumKeyW, RegOpenKeyW, CryptAcquireContextW, CryptReleaseContext, CryptDeriveKey, CryptDestroyKey, CryptSetHashParam, CryptGetHashParam, CryptExportKey, CryptImportKey, CryptDestroyHash, CryptHashData, CryptVerifySignatureW
SHELL32.dll	SHGetMalloc, SHGetFolderPathW, SHBrowseForFolderW, ShellExecuteW, CommandLineToArgvW, SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW
ole32.dll	CoCreateInstance, StringFromGUID2, CoCreateGuid, CreateItemMoniker, GetRunningObjectTable, CLSIDFromProgID, CoTaskMemAlloc, CoTaskMemRealloc, ProgIDFromCLSID, CoTaskMemFree, CoUninitialize, CoInitializeSecurity, CoInitialize
OLEAUT32.dll	RegisterTypeLib, UnRegisterTypeLib, SetErrorInfo, LoadTypeLib, CreateErrorInfo, SysAllocStringLen, SysFreeString, SysReAllocStringLen, SysStringLen, SysAllocString, SysStringByteLen, SysAllocStringByteLen, VarBstrCat, VarBstrFromDate, VariantClear, VariantChangeType, GetErrorInfo, VarUI4FromStr, SystemTimeToVariantTime
RPCRT4.dll	RpcStringFreeW, UuidCreate, UuidToStringW, UuidFromStringW

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report EasyLogUSB+Installer.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Created / dropped Files

C:\Config.Msi\3a61ae.rbs

C:\Program Files (x86)\EasyLog USB\CustomControls.dll

C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe

C:\Program Files (x86)\EasyLog USB\EL-USB.inf

C:\Program Files (x86)\EasyLog USB\EasyLog USB.chm

C:\Program Files (x86)\EasyLog USB\EasyLog USB.exe

C:\Program Files (x86)\EasyLog USB\EasyLogGraph.exe

C:\Program Files (x86)\EasyLog USB\ExportToExcel.dll

C:\Program Files (x86)\EasyLog USB\Sample CO.txt

C:\Program Files (x86)\EasyLog USB\Sample Current.txt

C:\Program Files (x86)\EasyLog USB\Sample Lite.txt

C:\Program Files (x86)\EasyLog USB\Sample RH.txt

C:\Program Files (x86)\EasyLog USB\Sample Temp.txt

C:\Program Files (x86)\EasyLog USB\Sample Voltage.txt

C:\Program Files (x86)\EasyLog USB\WPFToolkit.dll

C:\Program Files (x86)\EasyLog USB\setup.ini

C:\Program Files (x86)\EasyLog USB\siusbxp.cat

C:\Program Files (x86)\EasyLog USB\x64\SiLib.sys

C:\Program Files (x86)\EasyLog USB\x64\SiUSBXp.sys

C:\Program Files (x86)\EasyLog USB\x86\SiLib.sys

C:\Program Files (x86)\EasyLog USB\x86\SiUSBXp.sys

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EasyLog USB\EasyLog USB.lnk

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EasyLog USB\EasyLogGraph.lnk

C:\Users\Public\Desktop\EasyLog USB.lnk

C:\Users\Public\Desktop\EasyLog USB.lnk~RF3a6a48.TMP (copy)

C:\Users\Public\Desktop\~asyLog USB.tmp

C:\Users\user\AppData\Local\Temp\DLL_{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}.ini

C:\Users\user\AppData\Local\Temp\MSI478F.tmp

C:\Users\user\AppData\Local\Temp\{0D022C78-2169-466B-A31C-8D092A6A94A4}\0x0409.ini

C:\Users\user\AppData\Local\Temp\{0D022C78-2169-466B-A31C-8D092A6A94A4}\EasyLog USB.msi

C:\Users\user\AppData\Local\Temp\{0D022C78-2169-466B-A31C-8D092A6A94A4}\_ISMSIDEL.INI

C:\Users\user\AppData\Local\Temp\~305C.tmp

C:\Windows\Installer\MSI647C.tmp

C:\Windows\Installer\MSI6539.tmp

C:\Windows\Installer\SourceHash{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}

C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\ARPPRODUCTICON.exe

Windows Analysis Report
EasyLogUSB+Installer.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre