Windows Analysis Report
EasyLogUSB+Installer.exe

Overview

General Information

Sample name:	EasyLogUSB+Installer.exe
Analysis ID:	1501388
MD5:	d3d4273692e34102b88c513ad1c10040
SHA1:	1b75e5c2644fbf075040df437b15d4d2c128c2cf
SHA256:	cc2652dc33020fab609750a6f627e2f8e6597960b25f210981e62f5ad92f7d70
Infos:

Detection

Score:	6
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Compliance

Score:	45
Range:	0 - 100

Signatures

Checks for available system drives (often done to infect USB drives)

Creates driver files

Creates files inside the system directory

Deletes files inside the Windows folder

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

Launches processes in debugging mode, may be used to hinder debugging

Queries the volume information (name, serial number etc) of a device

Sigma detected: Suspicious Execution From GUID Like Folder Names

Stores files to the Windows start menu directory

Uses 32bit PE files

Classification

Signatures

Compliance

Uses 32bit PE files

Source: EasyLogUSB+Installer.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: EasyLogUSB+Installer.exe

Static PE information: certificate valid

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Windows\System32\msiexec.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

System Summary

Creates driver files

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\EasyLog USB\x86\SiLib.sys

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3eab17.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIADF5.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAEF0.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\SiUSBXp.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\ARPPRODUCTICON.exe
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\EasyLog_USB.exe_63257A9301FB4EABA085D3C69F470EC4.exe
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\EasyLogGraph.exe_3D39C605F6D0484A88F3AD4B82B13993.exe
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3eab19.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3eab19.msi

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIADF5.tmp

Uses 32bit PE files

Source: EasyLogUSB+Installer.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean6.winEXE@11/44@0/0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\EasyLog USB

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\Public\Desktop\EasyLog USB.lnk

Source: C:\Windows\System32\conhost.exe

Mutant created: \BaseNamedObjects\Local\SM0:1992:120:WilError_03

Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe

File created: C:\Users\user\AppData\Local\Temp\{7F3BB4D9-1954-41B0-8FC6-1687CA4E557E}\

Source: EasyLogUSB+Installer.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe

File read: C:\Users\user\AppData\Local\Temp\{7F3BB4D9-1954-41B0-8FC6-1687CA4E557E}\Setup.INI

Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe

File read: C:\Users\user\Desktop\EasyLogUSB+Installer.exe

Source: unknown	Process created: C:\Users\user\Desktop\EasyLogUSB+Installer.exe "C:\Users\user\Desktop\EasyLogUSB+Installer.exe"
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\user\AppData\Local\Temp\{7F3BB4D9-1954-41B0-8FC6-1687CA4E557E}\EasyLog USB.msi" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="EasyLogUSB+Installer.exe"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C16B6E8B33D4F0B5DAD7A01ECF725878 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 27BDE6E8EAF7545954F65D95558F90D2
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe "C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe"
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\user\AppData\Local\Temp\{7F3BB4D9-1954-41B0-8FC6-1687CA4E557E}\EasyLog USB.msi" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="EasyLogUSB+Installer.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C16B6E8B33D4F0B5DAD7A01ECF725878 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 27BDE6E8EAF7545954F65D95558F90D2
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe "C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: msi.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msihnd.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: oleacc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: riched20.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: usp10.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: linkinfo.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntshrui.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: acgenral.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: samcli.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: aclayers.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: sfc.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: sfc_os.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: textshaping.dll

Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe

File written: C:\Users\user\AppData\Local\Temp\{7F3BB4D9-1954-41B0-8FC6-1687CA4E557E}\Setup.INI

Source: EasyLogUSB+Installer.exe

Static PE information: certificate valid

Source: EasyLogUSB+Installer.exe

Static file information: File size 19500624 > 1048576

Source: EasyLogUSB+Installer.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Persistence and Installation Behavior

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\EasyLog USB\ExportToExcel.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\EasyLog USB\EasyLog USB.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\SiUSBXp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\EasyLogGraph.exe_3D39C605F6D0484A88F3AD4B82B13993.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\EasyLog USB\x86\SiLib.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\EasyLog USB\x64\SiUSBXp.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\EasyLog USB\x86\SiUSBXp.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI96C5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\EasyLog USB\EasyLogGraph.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\EasyLog_USB.exe_63257A9301FB4EABA085D3C69F470EC4.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\EasyLog USB\x64\SiLib.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\EasyLog USB\CustomControls.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI9656.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\EasyLog USB\WPFToolkit.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\SiUSBXp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\EasyLogGraph.exe_3D39C605F6D0484A88F3AD4B82B13993.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\EasyLog_USB.exe_63257A9301FB4EABA085D3C69F470EC4.exe	Jump to dropped file

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EasyLog USB
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EasyLog USB\EasyLog USB.lnk
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EasyLog USB\EasyLogGraph.lnk

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\EasyLog USB\ExportToExcel.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\EasyLog USB\EasyLog USB.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\SiUSBXp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\EasyLogGraph.exe_3D39C605F6D0484A88F3AD4B82B13993.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\EasyLog USB\x86\SiLib.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\EasyLog USB\x64\SiUSBXp.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\EasyLog USB\x86\SiUSBXp.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI96C5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\EasyLog USB\EasyLogGraph.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\EasyLog_USB.exe_63257A9301FB4EABA085D3C69F470EC4.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\EasyLog USB\x64\SiLib.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\EasyLog USB\CustomControls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\EasyLog USB\WPFToolkit.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9656.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Anti Debugging

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe "C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe"

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation

Screenshots

Network Map

⊘No contacted IP infos

Name	Type	MD5	SHA1	SHA256
C:\Config.Msi\3eab18.rbs	data	7BE4DD488B5F73A58993D89780421231	0A872C95794C761083F2A96E135E5DF18271AA27	CA2ED180236A8119FF0F03D09E78A6991D26C66C8794E07D04ACB048CDF13A2A
C:\Program Files (x86)\EasyLog USB\CustomControls.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	D45DC6705A858837B48002B099259447	7381790B9470B8120D40CC8170EF31625AFA41FC	625364E42240CCD4D34DCEDDDA385C5B999C82254866886FDECF71E2E51EAA82
C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	PE32 executable (GUI) Intel 80386, for MS Windows	4BD3D58BEB869D0895D93ACCADC08032	9005888DFBC0B2483DC4DA69683B46AA70A54283	604330AE230A4FDE9A3C4401CDD544394910D55DDF651A84259E0B03B39DF35E
C:\Program Files (x86)\EasyLog USB\EL-USB.inf	Windows setup INFormation	4AE3D4215836D424C461C60E841509A8	155EFD4F098E9A5294AFF18E2A0E45AAC5ED0310	6737F7F6737B4E37004D3F3FE3DBC9A2DB68FB74DF481B39AA0ACDBD238EDA79
C:\Program Files (x86)\EasyLog USB\EasyLog USB.chm	MS Windows HtmlHelp Data	B40F9A166584B9979C4DDF94E9C58B84	7A885114A83F0A73ADEAF1180FD8182BDE270678	A7B13BEB1F0EE9EB22CB72B41D4396B27834FCB8A0C98DFBB1DE7283C6DBF345
C:\Program Files (x86)\EasyLog USB\EasyLog USB.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	3B858BC0334BA720B83C388E909ADB76	D7E5D67093A04417127BCB78B3D429157E7D668B	19A191AAE469323D2BF25E1C7FB80BDD09E98F88BC4A6B3907BE12B57BE739AD
C:\Program Files (x86)\EasyLog USB\EasyLogGraph.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	99A338CA1E3B2F789BEBF09E5DA98DB6	BF360B9A4A311350FF65EA63D18ED8823F9299F0	27767F40E341717951DCDF231C09ADFB0C85A411A541DEB59A18EC773D09D800
C:\Program Files (x86)\EasyLog USB\ExportToExcel.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	7DBCED1DFC2BA8632169292C78DB9023	C7902951A4853BDFA7074261F0C5444CF6137845	615536B9FBF5B1F79C081224D136EC6AD2DB6B51B73BC455F2D7F2F18A0F9C19
C:\Program Files (x86)\EasyLog USB\Sample CO.txt	ASCII text, with CRLF line terminators	8506D085E11D902F8A1823E7E321BBDE	ADBAD1E5A097730E6B887D813962AC725DAB4231	791BE0332C3BDCC86842EA3C144CF37E00192F0A318EDBC57A020979CF229417
C:\Program Files (x86)\EasyLog USB\Sample Current.txt	ASCII text, with CRLF line terminators	B293E1467C132E759298BC9C6D6DED7D	38326172C6A6146F0BF0F12A18144A1C38B379C6	4B0F35D8B010E8BFC24942AF1635DD6FDF8432AE5DD8B88D361EB1DF1AE06DD3
C:\Program Files (x86)\EasyLog USB\Sample Lite.txt	ISO-8859 text, with CRLF line terminators	489A922F2345B000FD6D82CD4217F1D5	3DEF20F03E42CD21F273D5031BC4CE2C79716675	0AC3BFFE44A6FF29323208F95D6487F84F8FE172065AE5C37714E46C2690BFE1
C:\Program Files (x86)\EasyLog USB\Sample RH.txt	ISO-8859 text, with CRLF line terminators	F8F1C58AA92A4C8850F434A77FE4411A	CCCADD7400963855821CD1A849D5A184B54591AF	4ED4C172605C504B5FDB6660DE03B708D4174814DD738FC8DA38B9C439BA7447
C:\Program Files (x86)\EasyLog USB\Sample Temp.txt	ASCII text, with CRLF line terminators	E5477135B40BAFC5CDBC0887E9F43E91	4A98CBD1BF41A7BDB4BABB53085131072914C832	ACCD81ED3E1A0DE10AB90D303C50B35185FFFBAC3ADB65675B22F923551D5792
C:\Program Files (x86)\EasyLog USB\Sample Voltage.txt	ASCII text, with CRLF line terminators	86086555543DDAF5B4703A617984C70C	CD3921237802C1958A888D0273519A6B6E3C3AD1	8A10FFA4AEDBDA127188FBC46437A04DE0618F3E056C084A76017990EB559C3F
C:\Program Files (x86)\EasyLog USB\WPFToolkit.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	195ED09E0B4F3B09EA4A3B67A0D3F396	01A250631397C93C4AAB9A777A86E39FD8D84F09	AEF9FCBB874FC82E151E32279330061F8F22A77C05F583A0CB5E5696654AC456
C:\Program Files (x86)\EasyLog USB\setup.ini	Generic INItialization configuration [Driver Version]	0A73FF24BBBB30B912BFC115A24019AB	EE921F92A90C13A153094E090A93EEA572EA22A4	E19491ADE2529A48A75E625E512175ACD5BB98CA6739BEE958AAE5822E3CA488
C:\Program Files (x86)\EasyLog USB\siusbxp.cat	data	0F98B187AC70FCBC464912A833656EB3	3A9DA589492C7B9C419DA9BD0018100628F9D55E	5FED39B28E3E4BB08403553C508DCC5E242A99463A957BDF0C1E42F16E2A19D6
C:\Program Files (x86)\EasyLog USB\x64\SiLib.sys	PE32+ executable (native) x86-64, for MS Windows	971FA2980AB94A90B6A9A8385267E653	FC739185177A85ED04B71C6A8D5FDFB72D919306	25E3D0517AFCBD70C1EBB53097F096E1BDA49DC4524E3C858489E5EC12825608
C:\Program Files (x86)\EasyLog USB\x64\SiUSBXp.sys	PE32+ executable (native) x86-64, for MS Windows	CEDF7CFFCCD03451FD22DBAAC2E3DE8E	3FD8383608DB769A1E2C8E0C1302C315DCA8B37E	A1F4B952099EBA4BA4E659782F85B45C4BBB411BF5B7C02D5BE0CC3DBF27AFF3
C:\Program Files (x86)\EasyLog USB\x86\SiLib.sys	PE32 executable (native) Intel 80386, for MS Windows	812318F3E7BD682E1C22F0B707F66E82	AA17A293AEC2BF1239779A8D439F84B2602D76AD	9B4C47FAA4BD6F22E75CF8430BAC37E48108C35B6737850E583EFDC37C4D8A81
C:\Program Files (x86)\EasyLog USB\x86\SiUSBXp.sys	PE32 executable (native) Intel 80386, for MS Windows	599F3715602F4CB09AD0FDC606E3B9D9	659F9A1CF662260F3FB197E6FE3592922014E831	589FEA41EF48ACD9F0FC54AB25A430E5627D17E8EC3C950F3C5CB71C348E9B8D
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EasyLog USB\EasyLog USB.lnk	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Icon number=0, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide	AD6EDC97A8ADF247A41FCFF832386DFE	F1FA6469F869F8FCEC7631D1F16FB11678CE2E15	CD5FEC9C4F4242B25DD753EC2F1B78849B380CFE82F880A07CA8BAB1F238F99C
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EasyLog USB\EasyLogGraph.lnk	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Icon number=0, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide	992A06209D6CBC7C25B1676E3979A571	FD4B63B71157503A1244357A9B53293A575892FC	10D3A77D970556B6100ACBC821995AA7E5D88DBC5637613235E71F66DB176F4F
C:\Users\Public\Desktop\EasyLog USB.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Feb 18 18:11:02 2021, mtime=Thu Aug 29 17:51:54 2024, atime=Thu Feb 18 18:11:02 2021, length=2468864, window=hide	FC8B7CCD3FC06C093E4B7FB5FD9366EC	FDEF120EA28081EE3E90EE03C92B76B464DB3F67	3570012FACBCA736F40EB89EC6626C2D8F715CAC37F05BF894E711234C1F2FFC
C:\Users\Public\Desktop\EasyLog USB.lnk~RF3eb3d1.TMP (copy)	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Feb 18 18:11:02 2021, mtime=Thu Aug 29 17:51:54 2024, atime=Thu Feb 18 18:11:02 2021, length=2468864, window=hide	FC8B7CCD3FC06C093E4B7FB5FD9366EC	FDEF120EA28081EE3E90EE03C92B76B464DB3F67	3570012FACBCA736F40EB89EC6626C2D8F715CAC37F05BF894E711234C1F2FFC
C:\Users\Public\Desktop\~asyLog USB.tmp	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Feb 18 18:11:02 2021, mtime=Thu Aug 29 17:51:54 2024, atime=Thu Feb 18 18:11:02 2021, length=2468864, window=hide	DA45A723075941B2748E8D05EEC516FA	0BF5D9DA505EDCDDFE560B73C79E2528B77783CF	DE0F68DC2211A92B69D8249005775A16AE22E73A175D02162AD33CB4B4B8C1C3
C:\Users\user\AppData\Local\Temp\DLL_{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}.ini	ASCII text, with CRLF line terminators	52E37704F6B2D0A60914D4FC33BB8392	865DE5AD56B952BC6A55A44A9B25C5982B08856D	80D350EEFE5A06D8D5939421EA8AA11227E1CB7531405D44D236F7C520BD1D26
C:\Users\user\AppData\Local\Temp\MSI9656.tmp	PE32 executable (DLL) (console) Intel 80386, for MS Windows	557E647D925831D32DA575BF45C849D7	50B607E57D527CD076BE0BA23E1177890A401C12	E41012393DACFDF2632243323D5718EA962ED96FD8248D1C6747903E4C2A1D36
C:\Users\user\AppData\Local\Temp\MSI96C5.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	69E9BB71D4D394E87F0109734D328371	82FBEF8F36AECEFBCA489D58C09CDF4B0386F787	C3A87617D5BA229A62DA7FD4E0929BE26CAC33C58470FD5E5F0B54C30FF4D172
C:\Users\user\AppData\Local\Temp\{7F3BB4D9-1954-41B0-8FC6-1687CA4E557E}\0x0409.ini	Unicode text, UTF-16, little-endian text, with very long lines (308), with CRLF line terminators	A108F0030A2CDA00405281014F897241	D112325FA45664272B08EF5E8FF8C85382EBB991	8B76DF0FFC9A226B532B60936765B852B89780C6E475C152F7C320E085E43948
C:\Users\user\AppData\Local\Temp\{7F3BB4D9-1954-41B0-8FC6-1687CA4E557E}\EasyLog USB.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Installation Database, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: EasyLog USB, Author: Lascar Electronics Ltd., Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2016 - Professional Edition 23, Last Saved Time/Date: Mon Aug 8 16:29:11 2022, Create Time/Date: Mon Aug 8 16:29:11 2022, Last Printed: Mon Aug 8 16:29:11 2022, Revision Number: {8C7E2C80-4C6F-4A5C-9FDD-5AA316A9E29A}, Code page: 1252, Template: Intel;1033	0667825A7C186AB1769BEF4A2D0D5CA6	06EFBC582B852C4964CA6CA1DEFB5B13B182B0BA	A0875FA7ABF8474D2864DAFA61CCA887F0EA81ED0B82B57184046A1E946E4C10
C:\Users\user\AppData\Local\Temp\{7F3BB4D9-1954-41B0-8FC6-1687CA4E557E}\_ISMSIDEL.INI	Unicode text, UTF-16, little-endian text, with CRLF line terminators	17E6BBD1E8595815759254889DE4FF8B	F15138BF500C539F7E680D90A23C0FF43F1885F5	F470800E59BDDF14C139633534D9B7453DCBD8B5DB3EF3CB557B7AA21D77CDD4
C:\Users\user\AppData\Local\Temp\~7FE1.tmp	Unicode text, UTF-16, little-endian text, with CRLF line terminators	33F13D68A9E9F9845760A257286545AA	A2B07B4FBF4BFCCFF550469FC12C7030892D9355	A231E341F8E0997464F740BEC5526711605B173DC2C3101D580DB82AB636E67A
C:\Windows\Installer\MSIAEF0.tmp	data	F1C4E84781028AAD9477FCBE89B0D6A3	F72E77E08ADFEFABC24DBC22782F88871CDEE00E	0077833AC391A6FDCE0E95B7867994D0A8BF0EEBA89B6B098A777D43CE05AF81
C:\Windows\Installer\SourceHash{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}	Composite Document File V2 Document, Cannot read section info	66F1B9EECDF5194B5E9683C0549EE498	BD8D4F3ED82E74B7A078FA107B42322B2A29B192	2C018D5C479862D93C29E6125311976D2F03EE175BE7F00CE100449F4045298C
C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\ARPPRODUCTICON.exe	PE32 executable (GUI) Intel 80386, for MS Windows	23C1D640A469D3086A14F9FDF449EB50	2F277BA7EC429B93FE4D3879973024F8BACBE832	AE66EC7081CE696B549E39F70E5ADA5F57AC6F8173773EED1144039C24946945
C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\EasyLogGraph.exe_3D39C605F6D0484A88F3AD4B82B13993.exe	PE32 executable (GUI) Intel 80386, for MS Windows	6E27FC142F298EEE2A5C37F3DF46975B	0348059D4CE805D7099F3E24CF9AF5548C971176	70DCCB008ACA50A9F1925967DF3A15B581623FEF1AF005C5BD6BD59451AA8E79
C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\EasyLog_USB.exe_63257A9301FB4EABA085D3C69F470EC4.exe	PE32 executable (GUI) Intel 80386, for MS Windows	A2936C32057A1EC0E7F343B46A1C2D60	6FA37460864A7452A0F0E82EB87D59EEAE1058ED	18F7E5E9E33F1A914EE9E64B239B7EB0D7FDC55C7BC2C06FFD97A23E76A8817C
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	2530EDE50E19F9419DAC8CC98DF2CFDC	D67B7B8F014E382BEB7EA323CDFBA2135A9F3B26	DA4354C52FC97E32B539D9C90ED3EC6D2F61017C5861D885312A193F8BB9E6CD
C:\Windows\SysWOW64\SiUSBXp.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	372584E745A5A968AA02D7B969FB377B	3333F82ED9FBD12CBF79C4E37EC65A7991BF60F5	77BAADD8CF594F91C20DA6F46A0AB939796D03F92AECB5D478049D419AA8DF13
C:\Windows\Temp\~DF27AAA7E9E10F339B.TMP	data	5D8AF881A7158C623712BC3CD1A76B09	40E90FB951DE71DE72EBFBF0B2BFC7984B23FCA6	385152E36E0B50A64A9CEDF429C4FE0CD33A3029E6370759925B46E4330CE28B
C:\Windows\Temp\~DF4A57EFF6E7DD5F87.TMP	Composite Document File V2 Document, Cannot read section info	E2F3C1A2E03FA33972A9689A811CADD7	BB937B16BD1C1425C4CA90A618FDA90588C11A4B	5053A5A5DF7585D4B44DA1D3EF24121927629F2E4BF1FEBB3EA5906AE5243806
C:\Windows\Temp\~DF5D029E8F70E46DD8.TMP	data	C20051FAD9BF592298D88B23073C7758	203F35B2A93DC8E0896D7E65C081AA593D8F5089	8EDE3DA36D4A8A1EEB706EABB21DC8B2DAAB0FC6CF0D74818EBBC8EECA02EE3B
C:\Windows\Temp\~DFDAF947B7A71A72C6.TMP	Composite Document File V2 Document, Cannot read section info	3C00E3104F2C14F48B953DB825835ADC	22869A1957060F00226DECCEDB1D4D489B4EBD7D	4F5F9714E0BE81639380FFDB141E3CE9CF0D2944CA73B1BD0C649717FBC94D85
C:\Windows\Temp\~DFE4AC057D44E4FD3A.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560

Compliance

Uses 32bit PE files

Source: EasyLogUSB+Installer.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: EasyLogUSB+Installer.exe

Static PE information: certificate valid

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Windows\System32\msiexec.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

System Summary

Creates driver files

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\EasyLog USB\x86\SiLib.sys

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3eab17.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIADF5.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAEF0.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\SiUSBXp.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\ARPPRODUCTICON.exe
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\EasyLog_USB.exe_63257A9301FB4EABA085D3C69F470EC4.exe
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\EasyLogGraph.exe_3D39C605F6D0484A88F3AD4B82B13993.exe
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3eab19.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3eab19.msi

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIADF5.tmp

Uses 32bit PE files

Source: EasyLogUSB+Installer.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean6.winEXE@11/44@0/0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\EasyLog USB

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\Public\Desktop\EasyLog USB.lnk

Source: C:\Windows\System32\conhost.exe

Mutant created: \BaseNamedObjects\Local\SM0:1992:120:WilError_03

Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe

File created: C:\Users\user\AppData\Local\Temp\{7F3BB4D9-1954-41B0-8FC6-1687CA4E557E}\

Source: EasyLogUSB+Installer.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe

File read: C:\Users\user\AppData\Local\Temp\{7F3BB4D9-1954-41B0-8FC6-1687CA4E557E}\Setup.INI

Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe

File read: C:\Users\user\Desktop\EasyLogUSB+Installer.exe

Source: unknown	Process created: C:\Users\user\Desktop\EasyLogUSB+Installer.exe "C:\Users\user\Desktop\EasyLogUSB+Installer.exe"
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\user\AppData\Local\Temp\{7F3BB4D9-1954-41B0-8FC6-1687CA4E557E}\EasyLog USB.msi" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="EasyLogUSB+Installer.exe"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C16B6E8B33D4F0B5DAD7A01ECF725878 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 27BDE6E8EAF7545954F65D95558F90D2
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe "C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe"
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\user\AppData\Local\Temp\{7F3BB4D9-1954-41B0-8FC6-1687CA4E557E}\EasyLog USB.msi" SETUPEXEDIR="C:\Users\user\Desktop" SETUPEXENAME="EasyLogUSB+Installer.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C16B6E8B33D4F0B5DAD7A01ECF725878 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 27BDE6E8EAF7545954F65D95558F90D2
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe "C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: msi.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msihnd.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: oleacc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: riched20.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: usp10.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: linkinfo.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntshrui.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: acgenral.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: samcli.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: aclayers.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: sfc.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: sfc_os.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Section loaded: textshaping.dll

Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe

File written: C:\Users\user\AppData\Local\Temp\{7F3BB4D9-1954-41B0-8FC6-1687CA4E557E}\Setup.INI

Source: EasyLogUSB+Installer.exe

Static PE information: certificate valid

Source: EasyLogUSB+Installer.exe

Static file information: File size 19500624 > 1048576

Source: EasyLogUSB+Installer.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Persistence and Installation Behavior

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\EasyLog USB\ExportToExcel.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\EasyLog USB\EasyLog USB.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\SiUSBXp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\EasyLogGraph.exe_3D39C605F6D0484A88F3AD4B82B13993.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\EasyLog USB\x86\SiLib.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\EasyLog USB\x64\SiUSBXp.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\EasyLog USB\x86\SiUSBXp.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI96C5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\EasyLog USB\EasyLogGraph.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\EasyLog_USB.exe_63257A9301FB4EABA085D3C69F470EC4.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\EasyLog USB\x64\SiLib.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\EasyLog USB\CustomControls.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI9656.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\EasyLog USB\WPFToolkit.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\SiUSBXp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\EasyLogGraph.exe_3D39C605F6D0484A88F3AD4B82B13993.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\EasyLog_USB.exe_63257A9301FB4EABA085D3C69F470EC4.exe	Jump to dropped file

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EasyLog USB
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EasyLog USB\EasyLog USB.lnk
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EasyLog USB\EasyLogGraph.lnk

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\EasyLog USB\ExportToExcel.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\EasyLog USB\EasyLog USB.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\SiUSBXp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\EasyLogGraph.exe_3D39C605F6D0484A88F3AD4B82B13993.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\EasyLog USB\x86\SiLib.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\EasyLog USB\x64\SiUSBXp.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\EasyLog USB\x86\SiUSBXp.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI96C5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\EasyLog USB\EasyLogGraph.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{B4E4EFE5-93D9-435B-BDE9-3525A9689EB9}\EasyLog_USB.exe_63257A9301FB4EABA085D3C69F470EC4.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\EasyLog USB\x64\SiLib.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\EasyLog USB\CustomControls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\EasyLog USB\WPFToolkit.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9656.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\EasyLogUSB+Installer.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Anti Debugging

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe "C:\Program Files (x86)\EasyLog USB\EL-USB Driver Setup.exe"

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation

ID:	1501388
Product:	CloudBasic
Start time:	20:51:13
Start date:	29.08.2024
Sample:	EasyLogUSB+Installer.exe
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	d3d4273692e34102b88c513ad1c10040
SHA1:	1b75e5c2644fbf075040df437b15d4d2c128c2cf
SHA256:	cc2652dc33020fab609750a6f627e2f8e6597960b25f210981e62f5ad92f7d70
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report EasyLogUSB+Installer.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Signatures

Compliance

Spreading

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Network Map

Windows Analysis Report
EasyLogUSB+Installer.exe