Windows Analysis Report
1944b321.msi

Overview

General Information

Sample name: 1944b321.msi
Analysis ID: 1546437
MD5: f2f3a908a18ef6b45b50e1105326b833
SHA1: d01c20894cff8efa96e3394fcb54a8f4cea0f764
SHA256: ef896df89c6088517c117552424e932d590ebd483decc3c9f444a18ce88179fd
Infos:

Detection

Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Creates an undocumented autostart registry key
Disables DEP (Data Execution Prevention) for certain images
Modifies the windows firewall
PE file has nameless sections
Uses netsh to modify the Windows network and firewall settings
Adds / modifies Windows certificates
Checks for available system drives (often done to infect USB drives)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion NT Autorun Keys Modification
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\ProgramData\MPK\is-EQREG.tmp Avira: detection malicious, Label: APPL/MonitorTool.Gen
Source: C:\ProgramData\MPK\is-NK5I1.tmp Avira: detection malicious, Label: APPL/MonitorTool.Gen
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MPK\MPK.dll (copy) ReversingLabs: Detection: 53%
Source: C:\ProgramData\MPK\MPK.exe (copy) ReversingLabs: Detection: 62%
Source: C:\ProgramData\MPK\MPK64.dll (copy) ReversingLabs: Detection: 44%
Source: C:\ProgramData\MPK\MPKInst.exe (copy) ReversingLabs: Detection: 40%
Source: C:\ProgramData\MPK\MpkHCA.dll (copy) ReversingLabs: Detection: 64%
Source: C:\ProgramData\MPK\MpkL64.exe (copy) ReversingLabs: Detection: 45%
Source: C:\ProgramData\MPK\is-5U9RI.tmp ReversingLabs: Detection: 24%
Source: C:\ProgramData\MPK\is-7IT87.tmp ReversingLabs: Detection: 44%
Source: C:\ProgramData\MPK\is-EQREG.tmp ReversingLabs: Detection: 62%
Source: C:\ProgramData\MPK\is-H68I0.tmp ReversingLabs: Detection: 44%
Source: C:\ProgramData\MPK\is-M13BC.tmp ReversingLabs: Detection: 45%
Source: C:\ProgramData\MPK\is-NK5I1.tmp ReversingLabs: Detection: 64%
Source: C:\ProgramData\MPK\is-RJO8C.tmp ReversingLabs: Detection: 53%
Source: C:\ProgramData\MPK\is-URL53.tmp ReversingLabs: Detection: 40%
Source: C:\ProgramData\MPK\lsynchost.exe (copy) ReversingLabs: Detection: 44%
Source: C:\ProgramData\MPK\mpk_emni_mpk.exe ReversingLabs: Detection: 51%
Source: C:\ProgramData\MPK\unins000.exe (copy) ReversingLabs: Detection: 24%
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp ReversingLabs: Detection: 24%
Multi AV Scanner detection for submitted file
Source: 1944b321.msi ReversingLabs: Detection: 33%
Source: Binary string: D:\CFILES\Projects\WinSSL\openssl-1.0.1l\out32dll\libeay32.pdbl source: is-3LL6A.tmp.4.dr
Source: Binary string: D:\CFILES\Projects\WinSSL\openssl-1.0.1l\out32dll\libeay32.pdb source: is-3LL6A.tmp.4.dr
Source: Binary string: Inspect.pdb source: is-ARHTI.tmp.4.dr
Source: Binary string: D:\CFILES\Projects\WinSSL\openssl-1.0.1l\out32dll\ssleay32.pdb source: is-SUMV4.tmp.4.dr
Source: Binary string: CHARTOOEMBUFFl\Release\isunzlib.pdb source: mpk_emni_mpk.tmp, 00000004.00000003.2101400325.0000000002CAD000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: mpk_emni_mpk.tmp, 00000004.00000003.2062536481.00000000029B4000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101887413.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr
Source: Binary string: D:\asf\httpd-2.2\srclib\zlib\zlib1.pdb source: is-GH6IU.tmp.4.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.5:64622
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.5:64805
Source: mpk_emni_mpk.exe, 00000003.00000003.2060667547.000000007FE41000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.exe, 00000003.00000003.2060281542.00000000024A5000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000002.2102814872.000000000018F000.00000004.00000010.00020000.00000000.sdmp, 1944b321.msi, 4e7f65.msi.1.dr, is-EQREG.tmp.4.dr, mpk_emni_mpk.exe.1.dr, is-RJO8C.tmp.4.dr, 4e7f67.msi.1.dr, mpk_emni_mpk.tmp.3.dr String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: mpk_emni_mpk.exe, 00000003.00000003.2060667547.000000007FE41000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.exe, 00000003.00000003.2060281542.00000000024A5000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000002.2102814872.000000000018F000.00000004.00000010.00020000.00000000.sdmp, 1944b321.msi, 4e7f65.msi.1.dr, is-EQREG.tmp.4.dr, mpk_emni_mpk.exe.1.dr, is-RJO8C.tmp.4.dr, 4e7f67.msi.1.dr, mpk_emni_mpk.tmp.3.dr String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: mpk_emni_mpk.exe, 00000003.00000003.2060667547.000000007FE41000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.exe, 00000003.00000003.2060281542.00000000024A5000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000002.2102814872.000000000018F000.00000004.00000010.00020000.00000000.sdmp, 1944b321.msi, 4e7f65.msi.1.dr, is-EQREG.tmp.4.dr, mpk_emni_mpk.exe.1.dr, is-RJO8C.tmp.4.dr, 4e7f67.msi.1.dr, mpk_emni_mpk.tmp.3.dr String found in binary or memory: http://sf.symcd.com0&
Source: mpk_emni_mpk.exe, 00000003.00000003.2059670958.0000000002390000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.exe, 00000003.00000003.2103847115.00000000021DC000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2062536481.00000000029A0000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101887413.000000000228B000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101400325.0000000002C3D000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101887413.0000000002258000.00000004.00001000.00020000.00000000.sdmp, unins000.msg.4.dr String found in binary or memory: http://www.dk-soft.org/
Source: mpk_emni_mpk.exe, 00000003.00000003.2103847115.00000000021BF000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.dk-soft.org/0
Source: mpk_emni_mpk.tmp, 00000004.00000003.2101887413.0000000002258000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.google-analytics.com/collect
Source: mpk_emni_mpk.exe, 00000003.00000003.2060281542.0000000002390000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.exe, 00000003.00000003.2060667547.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000000.2061522413.0000000000401000.00000020.00000001.01000000.00000004.sdmp, mpk_emni_mpk.tmp.3.dr String found in binary or memory: http://www.innosetup.com/
Source: mpk_emni_mpk.exe, 00000003.00000000.2058969608.0000000000401000.00000020.00000001.01000000.00000003.sdmp, mpk_emni_mpk.exe.1.dr String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: mpk_emni_mpk.tmp, 00000004.00000003.2062536481.00000000029A0000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101400325.0000000002C3D000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.mipko.ru/
Source: mpk_emni_mpk.tmp, 00000004.00000003.2062536481.00000000029A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.mipko.ru/$QuickHelpMainLabel
Source: mpk_emni_mpk.exe, 00000003.00000003.2059670958.0000000002390000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2062536481.00000000029A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.mipko.ru/(http://www.mipko.ru/(http://www.mipko.ru/(
Source: mpk_emni_mpk.exe, 00000003.00000003.2103847115.0000000002241000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101887413.0000000002311000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.mipko.ru/1
Source: mpk_emni_mpk.tmp, 00000004.00000003.2062536481.00000000029A0000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101400325.0000000002C3D000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101887413.0000000002243000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.mipko.ru/employee-monitor/tutorial-msi.php?reffrominfo=INSTALL&refverinfo=0
Source: mpk_emni_mpk.tmp, 00000004.00000003.2101400325.0000000002C3D000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.mipko.ru/helponline.php?reffrominfo=INSTALL&refverinfo=0
Source: mpk_emni_mpk.tmp, 00000004.00000003.2101887413.000000000224A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.mipko.ru/helponline.php?reffrominfo=INSTALL&refverinfo=0a
Source: mpk_emni_mpk.tmp, 00000004.00000003.2101887413.000000000224A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.mipko.ru/helponline.php?reffrominfo=INSTALL&refverinfo=0q
Source: mpk_emni_mpk.exe, 00000003.00000003.2103847115.0000000002241000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101887413.0000000002311000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.mipko.ru/q
Source: mpk_emni_mpk.tmp, 00000004.00000003.2062536481.00000000029A0000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101887413.000000000224A000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101400325.0000000002C3D000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.mipko.ru/register.php?reffrominfo=INSTALL&refverinfo=0
Source: mpk_emni_mpk.tmp, 00000004.00000003.2062536481.00000000029A0000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101400325.0000000002C3D000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.mipko.ru/uninstall.htm?reffrominfo=INSTALL&refverinfo=0
Source: mpk_emni_mpk.tmp, 00000004.00000003.2101887413.000000000224A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.mipko.ru/uninstall.htm?reffrominfo=INSTALL&refverinfo=09
Source: is-3LL6A.tmp.4.dr, is-SUMV4.tmp.4.dr String found in binary or memory: http://www.openssl.org/V
Source: is-3LL6A.tmp.4.dr String found in binary or memory: http://www.openssl.org/support/faq.html
Source: is-3LL6A.tmp.4.dr String found in binary or memory: http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG
Source: mpk_emni_mpk.exe, 00000003.00000003.2060281542.0000000002390000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.exe, 00000003.00000003.2060667547.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000000.2061522413.0000000000401000.00000020.00000001.01000000.00000004.sdmp, mpk_emni_mpk.tmp.3.dr String found in binary or memory: http://www.remobjects.com/ps
Source: mpk_emni_mpk.exe, 00000003.00000003.2060667547.000000007FE41000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.exe, 00000003.00000003.2060281542.00000000024A5000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000002.2102814872.000000000018F000.00000004.00000010.00020000.00000000.sdmp, 1944b321.msi, 4e7f65.msi.1.dr, is-EQREG.tmp.4.dr, mpk_emni_mpk.exe.1.dr, is-RJO8C.tmp.4.dr, 4e7f67.msi.1.dr, mpk_emni_mpk.tmp.3.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: mpk_emni_mpk.exe, 00000003.00000003.2060667547.000000007FE41000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.exe, 00000003.00000003.2060281542.00000000024A5000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000002.2102814872.000000000018F000.00000004.00000010.00020000.00000000.sdmp, 1944b321.msi, 4e7f65.msi.1.dr, is-EQREG.tmp.4.dr, mpk_emni_mpk.exe.1.dr, is-RJO8C.tmp.4.dr, 4e7f67.msi.1.dr, mpk_emni_mpk.tmp.3.dr String found in binary or memory: https://d.symcb.com/rpa0

System Summary
barindex
PE file has nameless sections
Source: is-EQREG.tmp.4.dr Static PE information: section name:
Source: is-EQREG.tmp.4.dr Static PE information: section name:
Source: is-EQREG.tmp.4.dr Static PE information: section name:
Source: is-EQREG.tmp.4.dr Static PE information: section name:
Source: is-EQREG.tmp.4.dr Static PE information: section name:
Source: is-EQREG.tmp.4.dr Static PE information: section name:
Source: is-EQREG.tmp.4.dr Static PE information: section name:
Source: is-EQREG.tmp.4.dr Static PE information: section name:
Source: is-EQREG.tmp.4.dr Static PE information: section name:
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\4e7f65.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{9EBEE94E-B80E-4DDF-961B-A35BE6877C22} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI83EA.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\4e7f67.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\4e7f67.msi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\Windows\SysWOW64\is-ARHTI.tmp Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\PeerDistRepub Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\4e7f67.msi Jump to behavior
PE file contains executable resources (Code or Archives)
Source: mpk_emni_mpk.tmp.3.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: mpk_emni_mpk.tmp.3.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-5U9RI.tmp.4.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-5U9RI.tmp.4.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
PE file contains more sections than normal
Source: is-JS61I.tmp.4.dr Static PE information: Number of sections : 19 > 10
Source: is-EQREG.tmp.4.dr Static PE information: Number of sections : 12 > 10
Source: is-EQREG.tmp.4.dr Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: is-EQREG.tmp.4.dr Static PE information: Section: ZLIB complexity 1.000859375
Source: is-EQREG.tmp.4.dr Static PE information: Section: ZLIB complexity 1.0005542652027026
Source: is-EQREG.tmp.4.dr Static PE information: Section: ZLIB complexity 1.0008445945945945
Source: is-EQREG.tmp.4.dr Static PE information: Section: ZLIB complexity 1.0107421875
Source: classification engine Classification label: mal84.evad.winMSI@25/66@0/0
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\Users\user\AppData\Local\Programs Jump to behavior
Source: C:\ProgramData\MPK\MPKInst.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\MPK_MUTEX_42587B64572B06762F7D7E70674A777103
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7572:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
Source: C:\ProgramData\MPK\lsynchost.exe Mutant created: \BaseNamedObjects\Global\MPK_MUTEX_42587B64572B06762F1A757B76
Source: C:\ProgramData\MPK\lsynchost.exe Mutant created: \BaseNamedObjects\Global\MPK_MUTEX_23587B645730146A376D7E607B2B617D687C6D2F
Source: C:\ProgramData\MPK\lsynchost.exe Mutant created: \BaseNamedObjects\Global\MPK_MUTEX_23587B64572B07753D7A736B7C376607036170
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03
Source: C:\ProgramData\MPK\lsynchost.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\MPK_MUTEX_42587B64572B07753D7A736B7C376607036170
Source: C:\ProgramData\MPK\lsynchost.exe Mutant created: \BaseNamedObjects\Global\MPK_MUTEX_20587B64572B07753D7A736B7C376607036170
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\TEMP\~DFEDA63B10F1214E09.TMP Jump to behavior
Source: Yara match File source: 10.0.MPKInst.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.lsynchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000000.2093241826.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.2094922926.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\MPK\is-7IT87.tmp, type: DROPPED
Source: Yara match File source: C:\ProgramData\MPK\is-URL53.tmp, type: DROPPED
Source: C:\ProgramData\MPK\mpk_emni_mpk.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\MPK\MPKInst.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\MPK\MPKInst.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\msiexec.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: 1944b321.msi Static file information: TRID: Microsoft Windows Installer (60509/1) 88.31%
Source: 1944b321.msi ReversingLabs: Detection: 33%
Source: C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_setup64.tmp Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\1944b321.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\ProgramData\MPK\mpk_emni_mpk.exe "C:\ProgramData\MPK\mpk_emni_mpk.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SDIR "C:\Users\user\Desktop\" /LOG="C:\ProgramData\MPK\mpk_em_log.txt"
Source: C:\ProgramData\MPK\mpk_emni_mpk.exe Process created: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp "C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp" /SL5="$3049C,4852295,119296,C:\ProgramData\MPK\mpk_emni_mpk.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SDIR "C:\Users\user\Desktop\" /LOG="C:\ProgramData\MPK\mpk_em_log.txt"
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Process created: C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_setup64.tmp helper 105 0x3DC
Source: C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_setup64.tmp Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" /c netsh advfirewall firewall add rule name="TCP\IP" dir=in action=allow program="C:\ProgramData\MPK\mpk.exe" enable=yes
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="TCP\IP" dir=in action=allow program="C:\ProgramData\MPK\mpk.exe" enable=yes
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Process created: C:\ProgramData\MPK\MPKInst.exe "C:\ProgramData\MPK\MPKInst.exe" /i /dr /cp
Source: C:\ProgramData\MPK\MPKInst.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\MPK\MPKInst.exe Process created: C:\ProgramData\MPK\lsynchost.exe c:\programdata\mpk\\lsynchost.exe /install /silent
Source: unknown Process created: C:\ProgramData\MPK\lsynchost.exe c:\programdata\mpk\lsynchost.exe /startedbyscm:E4233B4F-40E3FE91-MPKService
Source: C:\ProgramData\MPK\lsynchost.exe Process created: C:\ProgramData\MPK\lsynchost.exe "c:\programdata\mpk\lsynchost.exe" /runsrv
Source: C:\ProgramData\MPK\lsynchost.exe Process created: C:\ProgramData\MPK\lsynchost.exe "c:\programdata\mpk\lsynchost.exe" /runsrv \MID:D
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Windows\System32\msiexec.exe Process created: C:\ProgramData\MPK\mpk_emni_mpk.exe "C:\ProgramData\MPK\mpk_emni_mpk.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SDIR "C:\Users\user\Desktop\" /LOG="C:\ProgramData\MPK\mpk_em_log.txt" Jump to behavior
Source: C:\ProgramData\MPK\mpk_emni_mpk.exe Process created: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp "C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp" /SL5="$3049C,4852295,119296,C:\ProgramData\MPK\mpk_emni_mpk.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SDIR "C:\Users\user\Desktop\" /LOG="C:\ProgramData\MPK\mpk_em_log.txt" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Process created: C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_setup64.tmp helper 105 0x3DC Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" /c netsh advfirewall firewall add rule name="TCP\IP" dir=in action=allow program="C:\ProgramData\MPK\mpk.exe" enable=yes Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Process created: C:\ProgramData\MPK\MPKInst.exe "C:\ProgramData\MPK\MPKInst.exe" /i /dr /cp Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="TCP\IP" dir=in action=allow program="C:\ProgramData\MPK\mpk.exe" enable=yes Jump to behavior
Source: C:\ProgramData\MPK\MPKInst.exe Process created: C:\ProgramData\MPK\lsynchost.exe c:\programdata\mpk\\lsynchost.exe /install /silent Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Process created: C:\ProgramData\MPK\lsynchost.exe "c:\programdata\mpk\lsynchost.exe" /runsrv Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Process created: C:\ProgramData\MPK\lsynchost.exe "c:\programdata\mpk\lsynchost.exe" /runsrv \MID:D Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\ProgramData\MPK\mpk_emni_mpk.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPK\mpk_emni_mpk.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_setup64.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_setup64.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ifmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mprapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasmontr.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mfc42u.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: authfwcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dhcpcmonitor.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dot3cfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dot3api.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: onex.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: eappcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: eappprxy.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: hnetmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netshell.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netsetupapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netiohlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: httpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshipsec.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: polstore.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winipsec.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshwfp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: p2pnetsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: p2p.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rpcnsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: whhelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wlancfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wlanapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wshelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: peerdistsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wcmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mobilenetworking.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mprmsg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPK\MPKInst.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPK\MPKInst.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\ProgramData\MPK\MPKInst.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\MPK\MPKInst.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\ProgramData\MPK\MPKInst.exe Section loaded: userenv.dll Jump to behavior
Source: C:\ProgramData\MPK\MPKInst.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPK\MPKInst.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPK\MPKInst.exe Section loaded: winsta.dll Jump to behavior
Source: C:\ProgramData\MPK\MPKInst.exe Section loaded: avrt.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: winsta.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: avrt.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: winsta.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: avrt.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: winsta.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: avrt.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: winsta.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Section loaded: avrt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanagersvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: clipc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Window found: window name: TMainForm Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 1944b321.msi Static file information: File size 5255168 > 1048576
Source: Binary string: D:\CFILES\Projects\WinSSL\openssl-1.0.1l\out32dll\libeay32.pdbl source: is-3LL6A.tmp.4.dr
Source: Binary string: D:\CFILES\Projects\WinSSL\openssl-1.0.1l\out32dll\libeay32.pdb source: is-3LL6A.tmp.4.dr
Source: Binary string: Inspect.pdb source: is-ARHTI.tmp.4.dr
Source: Binary string: D:\CFILES\Projects\WinSSL\openssl-1.0.1l\out32dll\ssleay32.pdb source: is-SUMV4.tmp.4.dr
Source: Binary string: CHARTOOEMBUFFl\Release\isunzlib.pdb source: mpk_emni_mpk.tmp, 00000004.00000003.2101400325.0000000002CAD000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: mpk_emni_mpk.tmp, 00000004.00000003.2062536481.00000000029B4000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101887413.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr
Source: Binary string: D:\asf\httpd-2.2\srclib\zlib\zlib1.pdb source: is-GH6IU.tmp.4.dr
PE file contains sections with non-standard names
Source: is-EQREG.tmp.4.dr Static PE information: section name:
Source: is-EQREG.tmp.4.dr Static PE information: section name:
Source: is-EQREG.tmp.4.dr Static PE information: section name:
Source: is-EQREG.tmp.4.dr Static PE information: section name:
Source: is-EQREG.tmp.4.dr Static PE information: section name:
Source: is-EQREG.tmp.4.dr Static PE information: section name:
Source: is-EQREG.tmp.4.dr Static PE information: section name:
Source: is-EQREG.tmp.4.dr Static PE information: section name:
Source: is-EQREG.tmp.4.dr Static PE information: section name:
Source: is-EQREG.tmp.4.dr Static PE information: section name: .adata
Source: is-JS61I.tmp.4.dr Static PE information: section name: /4
Source: is-JS61I.tmp.4.dr Static PE information: section name: /19
Source: is-JS61I.tmp.4.dr Static PE information: section name: /35
Source: is-JS61I.tmp.4.dr Static PE information: section name: /51
Source: is-JS61I.tmp.4.dr Static PE information: section name: /63
Source: is-JS61I.tmp.4.dr Static PE information: section name: /77
Source: is-JS61I.tmp.4.dr Static PE information: section name: /89
Source: is-JS61I.tmp.4.dr Static PE information: section name: /102
Source: is-JS61I.tmp.4.dr Static PE information: section name: /113
Source: is-JS61I.tmp.4.dr Static PE information: section name: /124
Source: is-7IT87.tmp.4.dr Static PE information: section name: .didata
Source: is-URL53.tmp.4.dr Static PE information: section name: .didata
Source: is-EQREG.tmp.4.dr Static PE information: section name: entropy: 7.984789371171089
Source: is-EQREG.tmp.4.dr Static PE information: section name: entropy: 7.994840224102401
Source: is-EQREG.tmp.4.dr Static PE information: section name: entropy: 7.990943201012819
Source: is-EQREG.tmp.4.dr Static PE information: section name: entropy: 7.815634775197806
Source: is-EQREG.tmp.4.dr Static PE information: section name: .rsrc entropy: 7.93730555835485
Source: is-EQREG.tmp.4.dr Static PE information: section name: .data entropy: 7.925340424958526
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\Vorbis.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-89R70.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\sqlite3.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-I4L15.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\ogg.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-3LL6A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-BV3PJ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-URL53.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\lsynchost.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-H68I0.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-NK5I1.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\MpkL64.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_isdecmp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-EQREG.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\Windows\SysWOW64\inspect.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\MpkHCA.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-SUMV4.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-5U9RI.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-9EF5L.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\zlib1.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-JS61I.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\vorbisfile.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-M13BC.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-RJO8C.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-7IT87.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\MPK.dll (copy) Jump to dropped file
Source: C:\ProgramData\MPK\mpk_emni_mpk.exe File created: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\libeay32.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\ssleay32.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\MPK.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\MPKInst.exe (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\ProgramData\MPK\mpk_emni_mpk.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\MPK64.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\vorbisenc.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-GH6IU.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\Windows\SysWOW64\is-ARHTI.tmp Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\Vorbis.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-89R70.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\sqlite3.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-I4L15.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\ogg.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-3LL6A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-BV3PJ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-URL53.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\lsynchost.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-H68I0.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-NK5I1.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\MpkL64.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-EQREG.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\MpkHCA.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-SUMV4.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-5U9RI.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-9EF5L.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\zlib1.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-JS61I.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\vorbisfile.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-M13BC.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-RJO8C.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-7IT87.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\MPK.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\libeay32.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\ssleay32.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\MPK.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\MPKInst.exe (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\ProgramData\MPK\mpk_emni_mpk.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\MPK64.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\vorbisenc.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\ProgramData\MPK\is-GH6IU.tmp Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\Windows\SysWOW64\inspect.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp File created: C:\Windows\SysWOW64\is-ARHTI.tmp Jump to dropped file

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit Jump to behavior
Stores large binary data to the registry
Source: C:\Windows\System32\msiexec.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Blob Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\ProgramData\MPK\mpk_emni_mpk.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MPK\mpk_emni_mpk.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MPK\MPKInst.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Dropped PE file which has not been started: C:\ProgramData\MPK\Vorbis.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Dropped PE file which has not been started: C:\ProgramData\MPK\is-89R70.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Dropped PE file which has not been started: C:\ProgramData\MPK\sqlite3.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Dropped PE file which has not been started: C:\ProgramData\MPK\ogg.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Dropped PE file which has not been started: C:\ProgramData\MPK\is-I4L15.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Dropped PE file which has not been started: C:\ProgramData\MPK\is-3LL6A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Dropped PE file which has not been started: C:\ProgramData\MPK\is-BV3PJ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Dropped PE file which has not been started: C:\ProgramData\MPK\is-NK5I1.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Dropped PE file which has not been started: C:\ProgramData\MPK\is-H68I0.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Dropped PE file which has not been started: C:\ProgramData\MPK\MpkL64.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_isdecmp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Dropped PE file which has not been started: C:\Windows\SysWOW64\inspect.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Dropped PE file which has not been started: C:\ProgramData\MPK\is-EQREG.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Dropped PE file which has not been started: C:\ProgramData\MPK\MpkHCA.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Dropped PE file which has not been started: C:\ProgramData\MPK\is-SUMV4.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Dropped PE file which has not been started: C:\ProgramData\MPK\is-9EF5L.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Dropped PE file which has not been started: C:\ProgramData\MPK\zlib1.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Dropped PE file which has not been started: C:\ProgramData\MPK\is-JS61I.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Dropped PE file which has not been started: C:\ProgramData\MPK\vorbisfile.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Dropped PE file which has not been started: C:\ProgramData\MPK\is-M13BC.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Dropped PE file which has not been started: C:\ProgramData\MPK\is-RJO8C.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Dropped PE file which has not been started: C:\ProgramData\MPK\MPK.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Dropped PE file which has not been started: C:\ProgramData\MPK\libeay32.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Dropped PE file which has not been started: C:\ProgramData\MPK\ssleay32.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Dropped PE file which has not been started: C:\ProgramData\MPK\MPK.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Dropped PE file which has not been started: C:\ProgramData\MPK\MPK64.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Dropped PE file which has not been started: C:\ProgramData\MPK\vorbisenc.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Dropped PE file which has not been started: C:\ProgramData\MPK\is-GH6IU.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Dropped PE file which has not been started: C:\Windows\SysWOW64\is-ARHTI.tmp Jump to dropped file
Queries keyboard layouts
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
Source: C:\ProgramData\MPK\MPKInst.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\ProgramData\MPK\MPKInst.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\ProgramData\MPK\lsynchost.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: mpk_emni_mpk.tmp, 00000004.00000002.2103218386.0000000000745000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\msiexec.exe Process created: C:\ProgramData\MPK\mpk_emni_mpk.exe "C:\ProgramData\MPK\mpk_emni_mpk.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SDIR "C:\Users\user\Desktop\" /LOG="C:\ProgramData\MPK\mpk_em_log.txt" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Process created: C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_setup64.tmp helper 105 0x3DC Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" /c netsh advfirewall firewall add rule name="TCP\IP" dir=in action=allow program="C:\ProgramData\MPK\mpk.exe" enable=yes Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="TCP\IP" dir=in action=allow program="C:\ProgramData\MPK\mpk.exe" enable=yes Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_setup64.tmp Code function: 5_2_0000000140001000 GetNamedSecurityInfoW,AllocateAndInitializeSid,SetEntriesInAclW,SetNamedSecurityInfoW,LocalFree,FreeSid,LocalFree,GetLastError, 5_2_0000000140001000
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disables DEP (Data Execution Prevention) for certain images
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers DisableNXShowUI Jump to behavior
Modifies the windows firewall
Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" /c netsh advfirewall firewall add rule name="TCP\IP" dir=in action=allow program="C:\ProgramData\MPK\mpk.exe" enable=yes
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="TCP\IP" dir=in action=allow program="C:\ProgramData\MPK\mpk.exe" enable=yes
Adds / modifies Windows certificates
Source: C:\Windows\System32\msiexec.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Blob Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1546437 Sample: 1944b321.msi Startdate: 31/10/2024 Architecture: WINDOWS Score: 84 59 Antivirus detection for dropped file 2->59 61 Multi AV Scanner detection for dropped file 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 PE file has nameless sections 2->65 9 msiexec.exe 77 29 2->9         started        12 lsynchost.exe 2->12         started        14 svchost.exe 2->14         started        16 msiexec.exe 5 2->16         started        process3 file4 57 C:\ProgramData\MPK\mpk_emni_mpk.exe, PE32 9->57 dropped 18 mpk_emni_mpk.exe 2 9->18         started        22 lsynchost.exe 12->22         started        process5 file6 47 C:\Users\user\AppData\...\mpk_emni_mpk.tmp, PE32 18->47 dropped 67 Multi AV Scanner detection for dropped file 18->67 24 mpk_emni_mpk.tmp 9 37 18->24         started        28 lsynchost.exe 22->28         started        signatures7 process8 file9 49 C:\Windows\SysWOW64\is-ARHTI.tmp, PE32 24->49 dropped 51 C:\Windows\SysWOW64\inspect.exe (copy), PE32 24->51 dropped 53 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 24->53 dropped 55 34 other files (31 malicious) 24->55 dropped 69 Multi AV Scanner detection for dropped file 24->69 71 Creates an undocumented autostart registry key 24->71 73 Disables DEP (Data Execution Prevention) for certain images 24->73 75 Modifies the windows firewall 24->75 30 cmd.exe 1 24->30         started        33 MPKInst.exe 1 24->33         started        35 _setup64.tmp 1 24->35         started        signatures10 process11 signatures12 77 Uses netsh to modify the Windows network and firewall settings 30->77 37 conhost.exe 30->37         started        39 netsh.exe 2 30->39         started        41 lsynchost.exe 33->41         started        43 conhost.exe 33->43         started        45 conhost.exe 35->45         started        process13
No contacted IP infos