Windows Analysis Report
VS80sp1-KB954961-X86-INTL.exe

Overview

General Information

Sample name:	VS80sp1-KB954961-X86-INTL.exe
Analysis ID:	1428262
MD5:	de6843e7937dfe0704b9eadfe589e691
SHA1:	c07566c6abc50cd9350d33209520bda798dda3e8
SHA256:	b4ad9fb4f0fc28c41b1a32ba309c8f8cf8b0c1eacb40107d7687288a040eb317
Infos:

Detection

Score:	7
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Compliance

Score:	47
Range:	0 - 100

Signatures

Checks for available system drives (often done to infect USB drives)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Signatures

Compliance

Uses 32bit PE files

Source: VS80sp1-KB954961-X86-INTL.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: VS80sp1-KB954961-X86-INTL.exe

Static PE information: certificate valid

Source: C:\Windows\System32\msiexec.exe

File opened: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcr80.dll

Jump to behavior

Source:	Binary string: msvcm80.i386.pdb source: msvcm80.dll.4.dr
Source:	Binary string: ddsetca.pdb source: 5E0E.tmp.0.dr, 5CE2.tmp.0.dr, 5B27.tmp.0.dr, VS80sp1-KB954961-X86-INTL.msp.0.dr, 5D90.tmp.0.dr, 5D31.tmp.0.dr
Source:	Binary string: t:\dw\x86\ship\0\dw20.pdb source: DW20.EXE.4.dr
Source:	Binary string: t:\dw\x86\ship\0\dw20.pdb\x86\ship\0\dw20.exe\bbtopt\dw20O.pdb source: DW20.EXE.4.dr
Source:	Binary string: t:\dw\x86\ship\0\dwtrig20.pdb\ship\0\dwtrig20.exe\bbtopt\dwtrig20O.pdb", source: DWTRIG20.EXE.4.dr
Source:	Binary string: h:\nt.obj.x86fre\base\wcp\tools\msmcustomaction\objfre\i386\msmcustomaction.pdb source: dw20shared.msi.0.dr, 5d6f33.msi.4.dr
Source:	Binary string: C:\BriqsBuildDirectories\BriqsSourceDirectory\target\briqs3.4\retail\i386\DDPatch.pdb source: 5497.tmp.0.dr, 55A4.tmp.0.dr, 5AA8.tmp.0.dr, 582D.tmp.0.dr, 5E0E.tmp.0.dr, 5CE2.tmp.0.dr, 5FA7.tmp.0.dr, 590C.tmp.0.dr, 573E.tmp.0.dr, 5B27.tmp.0.dr, 5C24.tmp.0.dr, 5EFB.tmp.0.dr, VS80sp1-KB954961-X86-INTL.msp.0.dr, 594B.tmp.0.dr, 5AE7.tmp.0.dr, 5565.tmp.0.dr, 5BC5.tmp.0.dr, 58BC.tmp.0.dr, 5CA3.tmp.0.dr, 5C63.tmp.0.dr, 5467.tmp.0.dr, 5437.tmp.0.dr, 59BA.tmp.0.dr, 5525.tmp.0.dr, 5D90.tmp.0.dr, 5D31.tmp.0.dr, 56CF.tmp.0.dr, 585D.tmp.0.dr, 60C7.tmp.0.dr, 6036.tmp.0.dr, 570F.tmp.0.dr
Source:	Binary string: t:\dw\x86\ship\0\dwtrig20.pdb source: DWTRIG20.EXE.4.dr
Source:	Binary string: t:\msishared\x86\ship\0\CustomActions\dwsens.pdb source: MSI7204.tmp.4.dr, dw20shared.msi.0.dr, MSI738B.tmp.4.dr, 5d6f33.msi.4.dr, MSI7194.tmp.4.dr
Source:	Binary string: \x86\ship\0\dw20.exe\bbtopt\dw20O.pdb source: DW20.EXE.4.dr
Source:	Binary string: t:\msishared\x86\ship\0\CustomActions\dwsens.pdbPu source: MSI7204.tmp.4.dr, dw20shared.msi.0.dr, MSI738B.tmp.4.dr, 5d6f33.msi.4.dr, MSI7194.tmp.4.dr
Source:	Binary string: C:\razzle\binaries\BRIQSSHARED.x86ret\bin\i386\wrapdrvr.pdb source: VS80sp1-KB954961-X86-INTL.exe
Source:	Binary string: msvcp80.i386.pdb source: msvcp80.dll.4.dr
Source:	Binary string: t:\msishared\x86\ship\0\CustomActions\dw20sharedca.pdb source: dw20shared.msi.0.dr, 5d6f33.msi.4.dr
Source:	Binary string: \ship\0\dwtrig20.exe\bbtopt\dwtrig20O.pdb source: DWTRIG20.EXE.4.dr
Source:	Binary string: t:\msishared\x86\ship\0\CustomActions\AbortMsiCA.pdb source: dw20shared.msi.0.dr, MSI70E6.tmp.4.dr, 5d6f33.msi.4.dr
Source:	Binary string: FileHashFixup.pdb source: filehashfixup.exe.0.dr

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

System Summary

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5d6f30.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI70E6.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{95120000-00B9-0409-0000-0000000FF1CE}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7144.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7174.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7194.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7195.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7204.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\PCHEALTH	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\PCHEALTH\ERRORREP	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\PCHEALTH\ERRORREP\QHEADLES	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcr80.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.manifest	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.cat	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcp80.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcm80.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627498.0	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627498.0\8.0.50727.42.policy	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627498.0\8.0.50727.42.cat	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI738B.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5d6f33.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5d6f33.msi	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI70E6.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe

Code function: 0_3_0108A191

0_3_0108A191

PE file contains executable resources (Code or Archives)

Source: VS80sp1-KB954961-X86-INTL.exe

Static PE information: Resource name: BINARY type: Microsoft Cabinet archive data, many, 12381593 bytes, 5 files, at 0x2c +A "manifest.ini" +A "filehashfixup.exe", number 1, 631 datablocks, 0x1 compression

Sample file is different than original file name gathered from version info

Source: VS80sp1-KB954961-X86-INTL.exe, 00000000.00000003.2008386411.0000000002E78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileHashFixup.exeP vs VS80sp1-KB954961-X86-INTL.exe
Source: VS80sp1-KB954961-X86-INTL.exe, 00000000.00000003.2073654830.0000000002E79000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileHashFixup.exeP vs VS80sp1-KB954961-X86-INTL.exe

Uses 32bit PE files

Source: VS80sp1-KB954961-X86-INTL.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean7.winEXE@10/83@0/0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\Common Files\Microsoft Shared\DW

Jump to behavior

Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\MicrosoftDevDivPatchMutex

Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe

File created: C:\Users\user\AppData\Local\Temp\ZNW50FA.tmp

Jump to behavior

Source: VS80sp1-KB954961-X86-INTL.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe

File read: C:\Users\user\AppData\Local\Temp\ZNW50FA\manifest.ini

Jump to behavior

Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: VS80sp1-KB954961-X86-INTL.exe	String found in binary or memory: </install>
Source: VS80sp1-KB954961-X86-INTL.exe	String found in binary or memory: </addsource>
Source: VS80sp1-KB954961-X86-INTL.exe	String found in binary or memory: <update executable file name> /addsource "C:\Product MSI\Visual Studio\enu\vs_setup.msi" /addsource "C:\Product MSI\Net\Netfx.msi"
Source: VS80sp1-KB954961-X86-INTL.exe	String found in binary or memory: <update executable file name> /addsource "C:\Product MSI\Visual Studio\enu\vs_setup.msi" /addsource "C:\Product MSI\Net\Netfx.msi"
Source: VS80sp1-KB954961-X86-INTL.exe	String found in binary or memory: <update executable file name> /addsource "C:\Product MSI\Visual Studio\enu\vs_setup.msi" /addsource "C:\Product MSI\Net\Netfx.msi"
Source: VS80sp1-KB954961-X86-INTL.exe	String found in binary or memory: <update executable file name> /addsource "C:\Product MSI\Visual Studio\enu\vs_setup.msi" /addsource "C:\Product MSI\Net\Netfx.msi"
Source: VS80sp1-KB954961-X86-INTL.exe	String found in binary or memory: <update executable file name> /addsource "C:\Product MSI\Visual Studio\enu\vs_setup.msi" /addsource "C:\Product MSI\Net\Netfx.msi"
Source: VS80sp1-KB954961-X86-INTL.exe	String found in binary or memory: <update executable file name> /addsource "C:\Product MSI\Visual Studio\enu\vs_setup.msi" /addsource "C:\Product MSI\Net\Netfx.msi"
Source: VS80sp1-KB954961-X86-INTL.exe	String found in binary or memory: <update executable file name> /addsource "C:\Product MSI\Visual Studio\enu\vs_setup.msi" /addsource "C:\Product MSI\Net\Netfx.msi"
Source: VS80sp1-KB954961-X86-INTL.exe	String found in binary or memory: <update executable file name> /addsource "C:\Product MSI\Visual Studio\enu\vs_setup.msi" /addsource "C:\Product MSI\Net\Netfx.msi"

Source: unknown	Process created: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe "C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe"
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" REBOOT=ReallySuppress /p "C:\Users\user\AppData\Local\Temp\ZNW50FA\VS80sp1-KB954961-X86-INTL.msp" /l*v C:\Users\user\AppData\Local\Temp\VS80sp1-KB954961-X86-INTL\VS80sp1-KB954961-X86-INTL-msi.0.log
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" REBOOT=ReallySuppress /q /i C:\Users\user\AppData\Local\Temp\ZNW50FA\dw20shared.msi APPGUID={AB1098F4-4E8B-4BC1-9979-6367DF53ED51} REINSTALL=all REINSTALLMODE=vomus
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D94135EDDA44CEACEF1298338DEB1A49
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 31C2B4F4F21467A963096029BA61CEDC E Global\MSI0000
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" REBOOT=ReallySuppress /p "C:\Users\user\AppData\Local\Temp\ZNW50FA\VS80sp1-KB954961-X86-INTL.msp" /l*v C:\Users\user\AppData\Local\Temp\VS80sp1-KB954961-X86-INTL\VS80sp1-KB954961-X86-INTL-msi.0.log	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" REBOOT=ReallySuppress /q /i C:\Users\user\AppData\Local\Temp\ZNW50FA\dw20shared.msi APPGUID={AB1098F4-4E8B-4BC1-9979-6367DF53ED51} REINSTALL=all REINSTALLMODE=vomus	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D94135EDDA44CEACEF1298338DEB1A49	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 31C2B4F4F21467A963096029BA61CEDC E Global\MSI0000	Jump to behavior

Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: es.dll	Jump to behavior

Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe

File written: C:\Users\user\AppData\Local\Temp\ZNW50FA\manifest.ini

Jump to behavior

Source: VS80sp1-KB954961-X86-INTL.exe

Static PE information: certificate valid

Source: initial sample

Static PE information: Valid certificate with Microsoft Issuer

Source: VS80sp1-KB954961-X86-INTL.exe

Static file information: File size 12779920 > 1048576

Source: C:\Windows\System32\msiexec.exe

File opened: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcr80.dll

Jump to behavior

Source: VS80sp1-KB954961-X86-INTL.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xc02200

Source: VS80sp1-KB954961-X86-INTL.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: msvcm80.i386.pdb source: msvcm80.dll.4.dr
Source:	Binary string: ddsetca.pdb source: 5E0E.tmp.0.dr, 5CE2.tmp.0.dr, 5B27.tmp.0.dr, VS80sp1-KB954961-X86-INTL.msp.0.dr, 5D90.tmp.0.dr, 5D31.tmp.0.dr
Source:	Binary string: t:\dw\x86\ship\0\dw20.pdb source: DW20.EXE.4.dr
Source:	Binary string: t:\dw\x86\ship\0\dw20.pdb\x86\ship\0\dw20.exe\bbtopt\dw20O.pdb source: DW20.EXE.4.dr
Source:	Binary string: t:\dw\x86\ship\0\dwtrig20.pdb\ship\0\dwtrig20.exe\bbtopt\dwtrig20O.pdb", source: DWTRIG20.EXE.4.dr
Source:	Binary string: h:\nt.obj.x86fre\base\wcp\tools\msmcustomaction\objfre\i386\msmcustomaction.pdb source: dw20shared.msi.0.dr, 5d6f33.msi.4.dr
Source:	Binary string: C:\BriqsBuildDirectories\BriqsSourceDirectory\target\briqs3.4\retail\i386\DDPatch.pdb source: 5497.tmp.0.dr, 55A4.tmp.0.dr, 5AA8.tmp.0.dr, 582D.tmp.0.dr, 5E0E.tmp.0.dr, 5CE2.tmp.0.dr, 5FA7.tmp.0.dr, 590C.tmp.0.dr, 573E.tmp.0.dr, 5B27.tmp.0.dr, 5C24.tmp.0.dr, 5EFB.tmp.0.dr, VS80sp1-KB954961-X86-INTL.msp.0.dr, 594B.tmp.0.dr, 5AE7.tmp.0.dr, 5565.tmp.0.dr, 5BC5.tmp.0.dr, 58BC.tmp.0.dr, 5CA3.tmp.0.dr, 5C63.tmp.0.dr, 5467.tmp.0.dr, 5437.tmp.0.dr, 59BA.tmp.0.dr, 5525.tmp.0.dr, 5D90.tmp.0.dr, 5D31.tmp.0.dr, 56CF.tmp.0.dr, 585D.tmp.0.dr, 60C7.tmp.0.dr, 6036.tmp.0.dr, 570F.tmp.0.dr
Source:	Binary string: t:\dw\x86\ship\0\dwtrig20.pdb source: DWTRIG20.EXE.4.dr
Source:	Binary string: t:\msishared\x86\ship\0\CustomActions\dwsens.pdb source: MSI7204.tmp.4.dr, dw20shared.msi.0.dr, MSI738B.tmp.4.dr, 5d6f33.msi.4.dr, MSI7194.tmp.4.dr
Source:	Binary string: \x86\ship\0\dw20.exe\bbtopt\dw20O.pdb source: DW20.EXE.4.dr
Source:	Binary string: t:\msishared\x86\ship\0\CustomActions\dwsens.pdbPu source: MSI7204.tmp.4.dr, dw20shared.msi.0.dr, MSI738B.tmp.4.dr, 5d6f33.msi.4.dr, MSI7194.tmp.4.dr
Source:	Binary string: C:\razzle\binaries\BRIQSSHARED.x86ret\bin\i386\wrapdrvr.pdb source: VS80sp1-KB954961-X86-INTL.exe
Source:	Binary string: msvcp80.i386.pdb source: msvcp80.dll.4.dr
Source:	Binary string: t:\msishared\x86\ship\0\CustomActions\dw20sharedca.pdb source: dw20shared.msi.0.dr, 5d6f33.msi.4.dr
Source:	Binary string: \ship\0\dwtrig20.exe\bbtopt\dwtrig20O.pdb source: DWTRIG20.EXE.4.dr
Source:	Binary string: t:\msishared\x86\ship\0\CustomActions\AbortMsiCA.pdb source: dw20shared.msi.0.dr, MSI70E6.tmp.4.dr, 5d6f33.msi.4.dr
Source:	Binary string: FileHashFixup.pdb source: filehashfixup.exe.0.dr

Persistence and Installation Behavior

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI738B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7195.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	File created: C:\Users\user\AppData\Local\Temp\ZNW50FA\filehashfixup.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7144.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7204.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7174.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\DW\DWTRIG20.EXE	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI70E6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcp80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcr80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcm80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\DW\DW20.EXE	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI738B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7195.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7144.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7204.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7174.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI70E6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcp80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcr80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcm80.dll	Jump to dropped file

Boot Survival

Creates or modifies windows services

Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\VS80sp1-KB954961-X86-INTL

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI738B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7195.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ZNW50FA\filehashfixup.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7144.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7204.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7174.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\DW\DWTRIG20.EXE	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI70E6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcp80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcr80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcm80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\DW\DW20.EXE	Jump to dropped file

Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 3_2_04C3F42C LdrInitializeThunk,

3_2_04C3F42C

Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" REBOOT=ReallySuppress /p "C:\Users\user\AppData\Local\Temp\ZNW50FA\VS80sp1-KB954961-X86-INTL.msp" /l*v C:\Users\user\AppData\Local\Temp\VS80sp1-KB954961-X86-INTL\VS80sp1-KB954961-X86-INTL-msi.0.log			Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" REBOOT=ReallySuppress /q /i C:\Users\user\AppData\Local\Temp\ZNW50FA\dw20shared.msi APPGUID={AB1098F4-4E8B-4BC1-9979-6367DF53ED51} REINSTALL=all REINSTALLMODE=vomus			Jump to behavior

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Compliance

Uses 32bit PE files

Source: VS80sp1-KB954961-X86-INTL.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: VS80sp1-KB954961-X86-INTL.exe

Static PE information: certificate valid

Source: C:\Windows\System32\msiexec.exe

File opened: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcr80.dll

Jump to behavior

Source:	Binary string: msvcm80.i386.pdb source: msvcm80.dll.4.dr
Source:	Binary string: ddsetca.pdb source: 5E0E.tmp.0.dr, 5CE2.tmp.0.dr, 5B27.tmp.0.dr, VS80sp1-KB954961-X86-INTL.msp.0.dr, 5D90.tmp.0.dr, 5D31.tmp.0.dr
Source:	Binary string: t:\dw\x86\ship\0\dw20.pdb source: DW20.EXE.4.dr
Source:	Binary string: t:\dw\x86\ship\0\dw20.pdb\x86\ship\0\dw20.exe\bbtopt\dw20O.pdb source: DW20.EXE.4.dr
Source:	Binary string: t:\dw\x86\ship\0\dwtrig20.pdb\ship\0\dwtrig20.exe\bbtopt\dwtrig20O.pdb", source: DWTRIG20.EXE.4.dr
Source:	Binary string: h:\nt.obj.x86fre\base\wcp\tools\msmcustomaction\objfre\i386\msmcustomaction.pdb source: dw20shared.msi.0.dr, 5d6f33.msi.4.dr
Source:	Binary string: C:\BriqsBuildDirectories\BriqsSourceDirectory\target\briqs3.4\retail\i386\DDPatch.pdb source: 5497.tmp.0.dr, 55A4.tmp.0.dr, 5AA8.tmp.0.dr, 582D.tmp.0.dr, 5E0E.tmp.0.dr, 5CE2.tmp.0.dr, 5FA7.tmp.0.dr, 590C.tmp.0.dr, 573E.tmp.0.dr, 5B27.tmp.0.dr, 5C24.tmp.0.dr, 5EFB.tmp.0.dr, VS80sp1-KB954961-X86-INTL.msp.0.dr, 594B.tmp.0.dr, 5AE7.tmp.0.dr, 5565.tmp.0.dr, 5BC5.tmp.0.dr, 58BC.tmp.0.dr, 5CA3.tmp.0.dr, 5C63.tmp.0.dr, 5467.tmp.0.dr, 5437.tmp.0.dr, 59BA.tmp.0.dr, 5525.tmp.0.dr, 5D90.tmp.0.dr, 5D31.tmp.0.dr, 56CF.tmp.0.dr, 585D.tmp.0.dr, 60C7.tmp.0.dr, 6036.tmp.0.dr, 570F.tmp.0.dr
Source:	Binary string: t:\dw\x86\ship\0\dwtrig20.pdb source: DWTRIG20.EXE.4.dr
Source:	Binary string: t:\msishared\x86\ship\0\CustomActions\dwsens.pdb source: MSI7204.tmp.4.dr, dw20shared.msi.0.dr, MSI738B.tmp.4.dr, 5d6f33.msi.4.dr, MSI7194.tmp.4.dr
Source:	Binary string: \x86\ship\0\dw20.exe\bbtopt\dw20O.pdb source: DW20.EXE.4.dr
Source:	Binary string: t:\msishared\x86\ship\0\CustomActions\dwsens.pdbPu source: MSI7204.tmp.4.dr, dw20shared.msi.0.dr, MSI738B.tmp.4.dr, 5d6f33.msi.4.dr, MSI7194.tmp.4.dr
Source:	Binary string: C:\razzle\binaries\BRIQSSHARED.x86ret\bin\i386\wrapdrvr.pdb source: VS80sp1-KB954961-X86-INTL.exe
Source:	Binary string: msvcp80.i386.pdb source: msvcp80.dll.4.dr
Source:	Binary string: t:\msishared\x86\ship\0\CustomActions\dw20sharedca.pdb source: dw20shared.msi.0.dr, 5d6f33.msi.4.dr
Source:	Binary string: \ship\0\dwtrig20.exe\bbtopt\dwtrig20O.pdb source: DWTRIG20.EXE.4.dr
Source:	Binary string: t:\msishared\x86\ship\0\CustomActions\AbortMsiCA.pdb source: dw20shared.msi.0.dr, MSI70E6.tmp.4.dr, 5d6f33.msi.4.dr
Source:	Binary string: FileHashFixup.pdb source: filehashfixup.exe.0.dr

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

System Summary

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5d6f30.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI70E6.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{95120000-00B9-0409-0000-0000000FF1CE}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7144.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7174.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7194.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7195.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7204.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\PCHEALTH	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\PCHEALTH\ERRORREP	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\PCHEALTH\ERRORREP\QHEADLES	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcr80.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.manifest	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.cat	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcp80.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcm80.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627498.0	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627498.0\8.0.50727.42.policy	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627498.0\8.0.50727.42.cat	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI738B.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5d6f33.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5d6f33.msi	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI70E6.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe

Code function: 0_3_0108A191

0_3_0108A191

PE file contains executable resources (Code or Archives)

Source: VS80sp1-KB954961-X86-INTL.exe

Sample file is different than original file name gathered from version info

Source: VS80sp1-KB954961-X86-INTL.exe, 00000000.00000003.2008386411.0000000002E78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileHashFixup.exeP vs VS80sp1-KB954961-X86-INTL.exe
Source: VS80sp1-KB954961-X86-INTL.exe, 00000000.00000003.2073654830.0000000002E79000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileHashFixup.exeP vs VS80sp1-KB954961-X86-INTL.exe

Uses 32bit PE files

Source: VS80sp1-KB954961-X86-INTL.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean7.winEXE@10/83@0/0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\Common Files\Microsoft Shared\DW

Jump to behavior

Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\MicrosoftDevDivPatchMutex

Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe

File created: C:\Users\user\AppData\Local\Temp\ZNW50FA.tmp

Jump to behavior

Source: VS80sp1-KB954961-X86-INTL.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe

File read: C:\Users\user\AppData\Local\Temp\ZNW50FA\manifest.ini

Jump to behavior

Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: VS80sp1-KB954961-X86-INTL.exe	String found in binary or memory: </install>
Source: VS80sp1-KB954961-X86-INTL.exe	String found in binary or memory: </addsource>
Source: VS80sp1-KB954961-X86-INTL.exe	String found in binary or memory: <update executable file name> /addsource "C:\Product MSI\Visual Studio\enu\vs_setup.msi" /addsource "C:\Product MSI\Net\Netfx.msi"
Source: VS80sp1-KB954961-X86-INTL.exe	String found in binary or memory: <update executable file name> /addsource "C:\Product MSI\Visual Studio\enu\vs_setup.msi" /addsource "C:\Product MSI\Net\Netfx.msi"
Source: VS80sp1-KB954961-X86-INTL.exe	String found in binary or memory: <update executable file name> /addsource "C:\Product MSI\Visual Studio\enu\vs_setup.msi" /addsource "C:\Product MSI\Net\Netfx.msi"
Source: VS80sp1-KB954961-X86-INTL.exe	String found in binary or memory: <update executable file name> /addsource "C:\Product MSI\Visual Studio\enu\vs_setup.msi" /addsource "C:\Product MSI\Net\Netfx.msi"
Source: VS80sp1-KB954961-X86-INTL.exe	String found in binary or memory: <update executable file name> /addsource "C:\Product MSI\Visual Studio\enu\vs_setup.msi" /addsource "C:\Product MSI\Net\Netfx.msi"
Source: VS80sp1-KB954961-X86-INTL.exe	String found in binary or memory: <update executable file name> /addsource "C:\Product MSI\Visual Studio\enu\vs_setup.msi" /addsource "C:\Product MSI\Net\Netfx.msi"
Source: VS80sp1-KB954961-X86-INTL.exe	String found in binary or memory: <update executable file name> /addsource "C:\Product MSI\Visual Studio\enu\vs_setup.msi" /addsource "C:\Product MSI\Net\Netfx.msi"
Source: VS80sp1-KB954961-X86-INTL.exe	String found in binary or memory: <update executable file name> /addsource "C:\Product MSI\Visual Studio\enu\vs_setup.msi" /addsource "C:\Product MSI\Net\Netfx.msi"

Source: unknown	Process created: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe "C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe"
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" REBOOT=ReallySuppress /p "C:\Users\user\AppData\Local\Temp\ZNW50FA\VS80sp1-KB954961-X86-INTL.msp" /l*v C:\Users\user\AppData\Local\Temp\VS80sp1-KB954961-X86-INTL\VS80sp1-KB954961-X86-INTL-msi.0.log
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" REBOOT=ReallySuppress /q /i C:\Users\user\AppData\Local\Temp\ZNW50FA\dw20shared.msi APPGUID={AB1098F4-4E8B-4BC1-9979-6367DF53ED51} REINSTALL=all REINSTALLMODE=vomus
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D94135EDDA44CEACEF1298338DEB1A49
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 31C2B4F4F21467A963096029BA61CEDC E Global\MSI0000
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" REBOOT=ReallySuppress /p "C:\Users\user\AppData\Local\Temp\ZNW50FA\VS80sp1-KB954961-X86-INTL.msp" /l*v C:\Users\user\AppData\Local\Temp\VS80sp1-KB954961-X86-INTL\VS80sp1-KB954961-X86-INTL-msi.0.log	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" REBOOT=ReallySuppress /q /i C:\Users\user\AppData\Local\Temp\ZNW50FA\dw20shared.msi APPGUID={AB1098F4-4E8B-4BC1-9979-6367DF53ED51} REINSTALL=all REINSTALLMODE=vomus	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D94135EDDA44CEACEF1298338DEB1A49	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 31C2B4F4F21467A963096029BA61CEDC E Global\MSI0000	Jump to behavior

Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: es.dll	Jump to behavior

Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe

File written: C:\Users\user\AppData\Local\Temp\ZNW50FA\manifest.ini

Jump to behavior

Source: VS80sp1-KB954961-X86-INTL.exe

Static PE information: certificate valid

Source: initial sample

Static PE information: Valid certificate with Microsoft Issuer

Source: VS80sp1-KB954961-X86-INTL.exe

Static file information: File size 12779920 > 1048576

Source: C:\Windows\System32\msiexec.exe

File opened: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcr80.dll

Jump to behavior

Source: VS80sp1-KB954961-X86-INTL.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xc02200

Source: VS80sp1-KB954961-X86-INTL.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: msvcm80.i386.pdb source: msvcm80.dll.4.dr
Source:	Binary string: ddsetca.pdb source: 5E0E.tmp.0.dr, 5CE2.tmp.0.dr, 5B27.tmp.0.dr, VS80sp1-KB954961-X86-INTL.msp.0.dr, 5D90.tmp.0.dr, 5D31.tmp.0.dr
Source:	Binary string: t:\dw\x86\ship\0\dw20.pdb source: DW20.EXE.4.dr
Source:	Binary string: t:\dw\x86\ship\0\dw20.pdb\x86\ship\0\dw20.exe\bbtopt\dw20O.pdb source: DW20.EXE.4.dr
Source:	Binary string: t:\dw\x86\ship\0\dwtrig20.pdb\ship\0\dwtrig20.exe\bbtopt\dwtrig20O.pdb", source: DWTRIG20.EXE.4.dr
Source:	Binary string: h:\nt.obj.x86fre\base\wcp\tools\msmcustomaction\objfre\i386\msmcustomaction.pdb source: dw20shared.msi.0.dr, 5d6f33.msi.4.dr
Source:	Binary string: C:\BriqsBuildDirectories\BriqsSourceDirectory\target\briqs3.4\retail\i386\DDPatch.pdb source: 5497.tmp.0.dr, 55A4.tmp.0.dr, 5AA8.tmp.0.dr, 582D.tmp.0.dr, 5E0E.tmp.0.dr, 5CE2.tmp.0.dr, 5FA7.tmp.0.dr, 590C.tmp.0.dr, 573E.tmp.0.dr, 5B27.tmp.0.dr, 5C24.tmp.0.dr, 5EFB.tmp.0.dr, VS80sp1-KB954961-X86-INTL.msp.0.dr, 594B.tmp.0.dr, 5AE7.tmp.0.dr, 5565.tmp.0.dr, 5BC5.tmp.0.dr, 58BC.tmp.0.dr, 5CA3.tmp.0.dr, 5C63.tmp.0.dr, 5467.tmp.0.dr, 5437.tmp.0.dr, 59BA.tmp.0.dr, 5525.tmp.0.dr, 5D90.tmp.0.dr, 5D31.tmp.0.dr, 56CF.tmp.0.dr, 585D.tmp.0.dr, 60C7.tmp.0.dr, 6036.tmp.0.dr, 570F.tmp.0.dr
Source:	Binary string: t:\dw\x86\ship\0\dwtrig20.pdb source: DWTRIG20.EXE.4.dr
Source:	Binary string: t:\msishared\x86\ship\0\CustomActions\dwsens.pdb source: MSI7204.tmp.4.dr, dw20shared.msi.0.dr, MSI738B.tmp.4.dr, 5d6f33.msi.4.dr, MSI7194.tmp.4.dr
Source:	Binary string: \x86\ship\0\dw20.exe\bbtopt\dw20O.pdb source: DW20.EXE.4.dr
Source:	Binary string: t:\msishared\x86\ship\0\CustomActions\dwsens.pdbPu source: MSI7204.tmp.4.dr, dw20shared.msi.0.dr, MSI738B.tmp.4.dr, 5d6f33.msi.4.dr, MSI7194.tmp.4.dr
Source:	Binary string: C:\razzle\binaries\BRIQSSHARED.x86ret\bin\i386\wrapdrvr.pdb source: VS80sp1-KB954961-X86-INTL.exe
Source:	Binary string: msvcp80.i386.pdb source: msvcp80.dll.4.dr
Source:	Binary string: t:\msishared\x86\ship\0\CustomActions\dw20sharedca.pdb source: dw20shared.msi.0.dr, 5d6f33.msi.4.dr
Source:	Binary string: \ship\0\dwtrig20.exe\bbtopt\dwtrig20O.pdb source: DWTRIG20.EXE.4.dr
Source:	Binary string: t:\msishared\x86\ship\0\CustomActions\AbortMsiCA.pdb source: dw20shared.msi.0.dr, MSI70E6.tmp.4.dr, 5d6f33.msi.4.dr
Source:	Binary string: FileHashFixup.pdb source: filehashfixup.exe.0.dr

Persistence and Installation Behavior

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI738B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7195.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	File created: C:\Users\user\AppData\Local\Temp\ZNW50FA\filehashfixup.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7144.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7204.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7174.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\DW\DWTRIG20.EXE	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI70E6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcp80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcr80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcm80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\DW\DW20.EXE	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI738B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7195.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7144.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7204.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7174.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI70E6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcp80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcr80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcm80.dll	Jump to dropped file

Boot Survival

Creates or modifies windows services

Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\VS80sp1-KB954961-X86-INTL

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI738B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7195.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ZNW50FA\filehashfixup.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7144.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7204.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7174.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\DW\DWTRIG20.EXE	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI70E6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcp80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcr80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcm80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\DW\DW20.EXE	Jump to dropped file

Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 3_2_04C3F42C LdrInitializeThunk,

3_2_04C3F42C

Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" REBOOT=ReallySuppress /p "C:\Users\user\AppData\Local\Temp\ZNW50FA\VS80sp1-KB954961-X86-INTL.msp" /l*v C:\Users\user\AppData\Local\Temp\VS80sp1-KB954961-X86-INTL\VS80sp1-KB954961-X86-INTL-msi.0.log			Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" REBOOT=ReallySuppress /q /i C:\Users\user\AppData\Local\Temp\ZNW50FA\dw20shared.msi APPGUID={AB1098F4-4E8B-4BC1-9979-6367DF53ED51} REINSTALL=all REINSTALLMODE=vomus			Jump to behavior

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

ID:	1428262
Product:	CloudBasic
Start time:	18:35:32
Start date:	18.04.2024
Sample:	VS80sp1-KB954961-X86-INTL.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	de6843e7937dfe0704b9eadfe589e691
SHA1:	c07566c6abc50cd9350d33209520bda798dda3e8
SHA256:	b4ad9fb4f0fc28c41b1a32ba309c8f8cf8b0c1eacb40107d7687288a040eb317
Filetype:	Win32 Executable (generic) a (10002005/4) 99.53%

Name	Type	MD5	SHA1	SHA256
C:\Config.Msi\5d6f32.rbs	data	D89830ADB96C909F64448192B8660B19	D751BDFD432CF40CE2EBE137003E5DCC9A10B266	F41534C79D3F9209C5A32EE12BDB711A2AD14C445220B9CE91EA10680B02C1D7
C:\Program Files (x86)\Common Files\Microsoft Shared\DW\DW20.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	A602E56B9043EAA4A4BC52586EEDD023	602A70F7B5276D1B04D2E682B4CBFE7F41E943DE	FA4C04800C07A3F89626508AD801D6F30205A05A8C3A4A729ECE3B2C00F7EBFB
C:\Program Files (x86)\Common Files\Microsoft Shared\DW\DWTRIG20.EXE	PE32 executable (GUI) Intel 80386, for MS Windows	9435C1C2D2111573111367F92F208C1F	ED04C0A9E0FA1C21A59676C879D99CDB3E090EDB	BB49ED0292602541148C0722902B628F793B5E860249968E780CBD289E60014E
C:\Users\user\AppData\Local\Temp\5437.tmp	Unknown	89161DEE5EB99913537C3FA4113A73CF	BF44859CBEB35144711E3866295D97C600B87720	DDF3C5946E2A1E24BE8F3286D8F7E6A91B088DEBFF5EAE62A960A0ACE72EEC6B
C:\Users\user\AppData\Local\Temp\5467.tmp	Unknown	3FB53EE1A5C68BB04AEC03C95A42D523	45AAE2D9F9554623541EEC7033741818581CA0F9	DD0145FB3C37A898AC56C37A5717DCD931819E090BA16E5370602ECDDA957125
C:\Users\user\AppData\Local\Temp\5497.tmp	Unknown	639907DEFC4F82204983AB8382E76B81	E06A7A334BCF75CE3B7C997792DCDFEEF28F9439	49FDEF4E74C5903C141AD2C8FFC3966CC9133DC13120D23B84F7F6C47631AA53
C:\Users\user\AppData\Local\Temp\54D6.tmp	Unknown	1A8078C9A5B84FCA88301A1F9ECE4E6A	6265A462ED65D574E08490E2DF94112F0B5592B2	3C5F07D7BCBDCB9435DE6967648059747DC406EBB6AC0CF5B6257F5B017924B5
C:\Users\user\AppData\Local\Temp\5525.tmp	Unknown	D88D362A755EE687DB2EE6AD50E43CC8	784B91C269EDA57B574EA37AA26D2951DB1E5344	3FE8E08940201F773F4EB66D424399E1C88A67AAD2B7F51AB8D41A777F7CDEE5
C:\Users\user\AppData\Local\Temp\5565.tmp	Unknown	75811EF7C41166BA8584E937BABE66F5	0A02DD38EB7122E5D216C73C6178CEF0DA6F8BE2	0786D81FF3AA4D2F97D4B33EF8A1DCE326B7798F922B531EBD8C510F5482E6F3
C:\Users\user\AppData\Local\Temp\55A4.tmp	Unknown	34189600CAC7B24603338728932EE94E	60A06FAB2C94EFF1AB56C1AC2345B659D3F919E9	1787BA74287FF09443D4F41045715D094199CC759B285157640666834045642E
C:\Users\user\AppData\Local\Temp\5603.tmp	Unknown	69CDC271EE027800C79236B3CFD4D388	ABE4AA3A22686199056784A139A5F91F9CF61E19	4353F4B5747C5DD8F1ECC9756FD91DDB28AA1B3868B52FA85A83578261AB9A26
C:\Users\user\AppData\Local\Temp\56CF.tmp	Unknown	C17FC94E243132007149DAF47E835FCC	9EEB261F22FC33AFD75FEB033F7C40EBA039B418	7CE6D304F4304E1A49EEBFB4CBFBFA29D8A2EF2519E782EE61D13DBB430A5C2C
C:\Users\user\AppData\Local\Temp\570F.tmp	Unknown	0A89D6A9CAFADCD2E23F1F37E552F3F0	51BB135314FECAB8C132D61E29BD2F567A5D5253	DAB59A6623730A8F6A561D752F3F1C176CC697A7E9B352B1D21CE1C8D5EE1AA9
C:\Users\user\AppData\Local\Temp\573E.tmp	Unknown	276A2EB059BF05EA89127C915C34F04A	3B99587A065B8BD5B8879FD6561C44CBF18C48F9	6B0D74783905AD5D5E8CDE9D08DE3CCD4ED3CAFD968A4F24DE18ACD7F5A4EEE1
C:\Users\user\AppData\Local\Temp\577E.tmp	Unknown	DB8A924552B57DA09FCD50B0DE683D01	18D656D5B050AB61640568EE6CB2BCA1D70A2746	DC57A20816C9EC2704BF7B129D152772A752E1838CF96A0E9C9D86D60A0AB2C5
C:\Users\user\AppData\Local\Temp\57BD.tmp	Unknown	E00E8D5CD8CD57565CD13D23A8CA7786	113CEA69C15F7E347AD6C26A866F0CBD3CCFA0D2	D842A42D57637AE6EBE55DFC3DC6AC985C080DE8BEE05E3ADD566252896F568E
C:\Users\user\AppData\Local\Temp\57ED.tmp	Unknown	B82C2A1510C3BA4734FF09B0B5621B06	78A82254167F7A247FAB1F3DE565A798F08ABC55	753F728A5A89BBBF36681B845F837775BBB30F1A818D406A94146B25D32031CF
C:\Users\user\AppData\Local\Temp\582D.tmp	Unknown	08E07F66C89AC91A5623ACD942E6BD99	5481B75F0ABF16F13BEBEF4D908FFCA91F6A9AF7	AF78B92DBBFCCA70B3C65E40F4B7B829F94D04EDF2BE7F9A5A41C8281DF95AAC
C:\Users\user\AppData\Local\Temp\585D.tmp	Unknown	A27DC264EE704A4AE64D23D72DE67887	627D7D4A379C6DCA6D1898CDF05FF56D8D86717F	C84EB65838820988DDF314DF7E103D1C786C510429C5FF7C0847899F42742CA8
C:\Users\user\AppData\Local\Temp\588D.tmp	Unknown	10382CA722481F9155222188DE325920	4C08243A1BD64B84FE832F13C3106225FB69725F	0B43364EB48B0B5D27BED60EF7C31258E51C5C0B808CA4A5458BFCCE5BEDC1E0
C:\Users\user\AppData\Local\Temp\58BC.tmp	Unknown	0FCBB16EF8CD9A55512FBF90F3299A39	97384A370CE08BFF34096D9BB9E383C6859E75B3	17F3F5D4A29348A4FB85E1365502CBDEFAF4394A98A374B91F31D8C21B95376D
C:\Users\user\AppData\Local\Temp\590C.tmp	Unknown	7C9F3CB72991B747CFB6377E33291108	CBE7B225DD74513299B5B0D5344A813780F97A96	69DE307AE7A4AE8F21B84AEC2714C533D50BF0CC4FA3BA6E6DD5B84869DB1C00
C:\Users\user\AppData\Local\Temp\594B.tmp	Unknown	B871D6E017656C99E294D60E70510CF8	58F299C9A35ADD00E643A4CE6AB9A5B9D74361F1	50DCBBA27D44C7DFF9F828BA8194E016669DDB919BF2FEE85A5AA671A317CBD4
C:\Users\user\AppData\Local\Temp\598B.tmp	Unknown	17833A0696899BD0B5471CABBC308972	3857A303DDEB5C7EDB802CAA7E958AAE755DB4BB	32A81A4A699E1FBE30003646DA65CE5F8F90745CB166DB28B5B05588FC9D78E1
C:\Users\user\AppData\Local\Temp\59BA.tmp	Unknown	CF286539F725B8E664430B800B4A5B86	8F9B30F3F9B3A61A4508169D99776251B4FB25A2	E113BA9910D011B8E469691E5CC89947DEC7753B1589DCB4296C1583F3FE23B0
C:\Users\user\AppData\Local\Temp\59FA.tmp	Unknown	57F6ADB0F5A263D59CDAD3D45A94B38C	FF03B31E790FE566EF201E205DFDB5E544AFCA07	205A6B525FDBD0FC877AC3D54E2D8322DB7F1359F007554AD3A3179082C1A6B5
C:\Users\user\AppData\Local\Temp\5A2A.tmp	Unknown	A8906A2925A00A2F56D54AC8FE08C241	3CAB3D82722D85CCF1FD983B6EB40406C1989F6E	AE9CEAF9FF875023789F1A6BBE4002722F35EE0568870E5E81E7CCDB73C0888C
C:\Users\user\AppData\Local\Temp\5AA8.tmp	Unknown	21CB2ECB39FB6D6D43D543F2058DF432	39814F61A8D9120F867FAC878572796AB0E1C93B	04598497D374351B29FE194FFB350A7E0B36AC89A23FDD5F97C67686F47963C7
C:\Users\user\AppData\Local\Temp\5AE7.tmp	Unknown	CA1218719505514C904781E997827A04	B385613F9E0C30C54380193898675C4D37788D27	352FF08671B7522622CF6EB7110DEE4ED8D9739A49C733CC752608104761D7FE
C:\Users\user\AppData\Local\Temp\5B27.tmp	Unknown	5AE257C0736C382E2112CF6C624F1AE8	F332106333876942FB8A3E6CB405A0BDBFE64F53	4F91237C849D4D3984990878C73FAED521C8E87A69DD464DBE34D9642C067A95
C:\Users\user\AppData\Local\Temp\5B76.tmp	Unknown	2936765B9C23084A3401E2F492CCC557	14C719826E04508C00455789B46AD115A182B78F	285822267988E900AB1DCF3482A03A4E2065CE3D4E044C2DC4F8312D829947B5
C:\Users\user\AppData\Local\Temp\5BC5.tmp	Unknown	A324D17055F54932910DB5B9A822FF81	3C6FDC8FEAAA3292613564DFAB95A435102250DC	C526D3C2C707F3CA9DB3E68AE4CF47C06CC0409DA20A3F786B3CAB2ADDED1CE5
C:\Users\user\AppData\Local\Temp\5C24.tmp	Unknown	1F517448293AF92C9761B43CE4806460	CA7246B3813E155FD1A04D13BD8CFC7DB4DA641B	AA1CA546304793B7DD4E8340730C994DADA19C65A73ABCA41B1FEB2E383286BC
C:\Users\user\AppData\Local\Temp\5C63.tmp	Unknown	B61D1930EDD9807DEAD02DC785222B0B	D5BA37814A2712F9935D127E7728E93064B2752E	7D3765D72808821321B6E29AA6E4107D1A7DB5547AD4A73DC2EE753F94C8B1A6
C:\Users\user\AppData\Local\Temp\5CA3.tmp	Unknown	9BF48C78FCF9EC0A1FD0C3EA77AE3377	B1233778464603C305BD9EC23B5D45D1ED070124	C132627540690208121687E1B72B45C2F575C1FAE9550EDA5C4DA7F33C3C166A
C:\Users\user\AppData\Local\Temp\5CE2.tmp	Unknown	8FA4342501CBBED90C917E33C21ED75D	442B26A50AC72F0210517B496D90907C263F1A69	C055AF60F782E0962BD73682ACA63426F042794F9D74552CD33360153D4C8BC6
C:\Users\user\AppData\Local\Temp\5D31.tmp	Unknown	06B7A4FBE340066F61AC008544D076EA	187EE0E7C587F35BB0A7328801FE6785CD9BA78C	F2680FF9DD89A831DAA198F87110C3B3537B47FC9294E549DC33E7C3C244B59F
C:\Users\user\AppData\Local\Temp\5D90.tmp	Unknown	0E89F90F0D6A4B41AECBFEF41E6950DD	781B3E3657E2EC8B28198858C7A75DCDF2872E5A	DBFA27EF5FABF80F97C9674426AE43FABA9612A39F9AC3EE68944C0ACFB74C91
C:\Users\user\AppData\Local\Temp\5E0E.tmp	Unknown	72AF4C35EE02AAF62E9F690393DA4DA7	0167A0CF08D07C296EB0208616D06B8D115C3FC8	7BC32F21289C034ED6C0BAFE439201B14EC0883B640814891B0856AC34A0748F
C:\Users\user\AppData\Local\Temp\5EAB.tmp	Unknown	C884203A8EF65D8E335CF4B29D71E317	6204FF8143C5236C6C5727273A46CD2271D006AF	F49346505DF21CACCA255255EF2CDDCCD5E609172450F732702654A007D558EC
C:\Users\user\AppData\Local\Temp\5EFB.tmp	Unknown	EA4426BB40D70B056386A431D10E2706	A33F07F363CD425EA3F2A50BFC66D7F7D412D640	9030839FF727BD49EEAD7F2104F842449FAC8E1A7F24F7BBA43E998EA18C5AEB
C:\Users\user\AppData\Local\Temp\5FA7.tmp	Unknown	D3201DC65DEC726235A7CAE68EC3E40A	3D369B835C6F95D8246FD959827A663E0E262341	32FC653B9C4108EDA7B28A0B45019609B15D8D05D14515942FE0BFF5B1E77E7C
C:\Users\user\AppData\Local\Temp\6016.tmp	Unknown	D61D68EAECEECDE9955807B11BF67F90	DA37A5777FDBDAA05C94DF559A5EBBFAE3D82A63	19E4F486F372CBE2934842B89C7183E7A1D4939597555FA55C9928ED0A29EB40
C:\Users\user\AppData\Local\Temp\6036.tmp	Unknown	FF3ED85EF2CDE87108E21E8EB16E69F9	0FDAA9A10F8DE16CF011EA67E38A892D50DAD7E8	129E28EA73A746C4BACD04B07D1C0317F099DE07FB0F8D78E0B24DFD8AE7B9B4
C:\Users\user\AppData\Local\Temp\6085.tmp	Unknown	C6BB9C58A3C4C05FFA95219BCD81B32E	1F17354165D14927D2A9867A65BBA2FCCAF714D9	E9D3316D1C5C595B0FA0CAE1A84DA0AB6E41A4FF9D3E9E061122BD8A2BCC987E
C:\Users\user\AppData\Local\Temp\6096.tmp	Unknown	C571B19F0354BB873A397E9A81159A9F	CB12B4C58874AD6B7E2FE21CAB1DE0263ECAFF16	D63EC57549E0923B714A771FA5B1E0C62C8BB4A3607507A4A67A1EF32D4A52D5
C:\Users\user\AppData\Local\Temp\60B6.tmp	Unknown	FF44D314BBFEF1D4BE78351951D37372	B8F0199456546A8F1F2BDB4C4B3775B38D3A4DCF	E20462E7EA55A5922E31622C8F14FCFD5D8437BF58E26D2B74D6E90B0B46159B
C:\Users\user\AppData\Local\Temp\60C7.tmp	Unknown	3BCCC06C064BB8ECE6AC7447E3423290	9C440FA27091CBC8C6B205CD020C3FA10D47B9EF	E00B48EC3B4FD5D5D23E05797D76F1DF43A3027D1E2FC7BFCC279B580E307FC3
C:\Users\user\AppData\Local\Temp\MSId7441.LOG	Unicode text, UTF-16, little-endian text, with very long lines (369), with CRLF line terminators	BD75ACD45A1839154E1908C22B03107F	DCB5DB238635769B2D918C672E945F355B91F880	8422FB5CCA8DC6C67793A75C17FBC1A09B0F50060A26FFB410ED9E7517529C2A
C:\Users\user\AppData\Local\Temp\TFR6DB8.tmp	Unknown	6195EC371858760BADEB306B88F4D965	80EFCC793406721F34504CCBB8150DB535FBAF1F	599E768491BAF692108D143A57A0FCD1B2C2A68B6B4E13B4E069385217875FFF
C:\Users\user\AppData\Local\Temp\VS80sp1-KB954961-X86-INTL\VS80sp1-KB954961-X86-INTL-wrapper.log	Unknown	247F73200BCFFF5A92C868121AD6009C	3BC31698E2AB211FA8BE383E3D7E48206D791107	B1A61EEFB6FB757D9AA44EF81111407EF75F55B7A03EE70A111ADD75971DC46B
C:\Users\user\AppData\Local\Temp\ZNW50FA\VS80sp1-KB954961-X86-INTL.msp	Unknown	BCDAFF82B608D92381689C87F82BC23D	A224251490BA83421CCEECAA8B05526517038A8A	664CB1814F0B94A5877EB2B6FAFA6ABF3B8293DBA88744CC1C35F745A2A9BBD7
C:\Users\user\AppData\Local\Temp\ZNW50FA\dw20shared.msi	Unknown	57677B56DBD1D07BE20109ED5C2CD577	2AE1A280383A5CE26724CCD628B12F922B0F44E8	9783D94A823FF54255680E7BBF3DACA93FE087A7A0197F16773081D05AD655A8
C:\Users\user\AppData\Local\Temp\ZNW50FA\filehashfixup.exe	Unknown	24844BC62FCF6DF7EFC4E6FA3A0ADB7B	3E4197436CBB85E86FE8184A84D3299AA00A4BFB	1045D5B742A65BC42474C405482256ACFF09C2D48D5590CFDEE2E9B67C5F66EC
C:\Users\user\AppData\Local\Temp\ZNW50FA\filehashfixup.exe.data	Unknown	7921F620DE922C9FC35EC98DA7D93601	2E2FAF78E0EDD163CC99CEA9A18E24B24AE96B4D	332BB4C4A24C4525F9009DC3AA2CC6DDAB9D191110E40A574708C9BD029F484B
C:\Users\user\AppData\Local\Temp\ZNW50FA\manifest.ini	Unknown	4C88A732E75875CF2E7546D5C40A599E	6CA8DD85094043B2291B5B8698C7AE108A91A2E1	2ADF3236CF8895BE115C677F71EB6EB2819911BF30C0D6048E8E172A0175556C
C:\Windows\Installer\5d6f30.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft Application Error Reporting, Author: Microsoft Corporation, Keywords: Installer, MSI, Database, Release, Comments: This Installer database contains the logic and data required to install Microsoft Application Error Reporting., Template: Intel;1033, Number of Pages: 200, Number of Words: 2, Security: 2, Revision Number: {420F351B-33A5-4A58-A856-69B2EDEDC8F7}, Create Time/Date: Fri Mar 9 08:56:39 2007, Last Saved Time/Date: Fri Mar 9 08:56:39 2007, Name of Creating Application: Windows Installer XML v2.0.3508.0 (candle/light)	57677B56DBD1D07BE20109ED5C2CD577	2AE1A280383A5CE26724CCD628B12F922B0F44E8	9783D94A823FF54255680E7BBF3DACA93FE087A7A0197F16773081D05AD655A8
C:\Windows\Installer\5d6f33.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft Application Error Reporting, Author: Microsoft Corporation, Keywords: Installer, MSI, Database, Release, Comments: This Installer database contains the logic and data required to install Microsoft Application Error Reporting., Template: Intel;1033, Number of Pages: 200, Number of Words: 2, Security: 2, Revision Number: {420F351B-33A5-4A58-A856-69B2EDEDC8F7}, Create Time/Date: Fri Mar 9 08:56:39 2007, Last Saved Time/Date: Fri Mar 9 08:56:39 2007, Name of Creating Application: Windows Installer XML v2.0.3508.0 (candle/light)	57677B56DBD1D07BE20109ED5C2CD577	2AE1A280383A5CE26724CCD628B12F922B0F44E8	9783D94A823FF54255680E7BBF3DACA93FE087A7A0197F16773081D05AD655A8
C:\Windows\Installer\MSI70E6.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	170F3FB03508231141E76F25685E9E5E	66E575400553014343C3F355F6B45E9E923ACBA6	3DAE2DD9669983C6B08D33039A66F9EE2643EF4C4BA1CD58D4A0BF9882EECD9E
C:\Windows\Installer\MSI7144.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	879551F5F71451E1BCDA945EE66816A2	A929F900311453FEC5DB083EECC8E253633A904F	4BF97754455B12BE853B36FA18C42A4085D4F325E03F973A3977BE979240C5CE
C:\Windows\Installer\MSI7174.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	879551F5F71451E1BCDA945EE66816A2	A929F900311453FEC5DB083EECC8E253633A904F	4BF97754455B12BE853B36FA18C42A4085D4F325E03F973A3977BE979240C5CE
C:\Windows\Installer\MSI7194.tmp	data	EC15860C697ABAA9E72E54BFB70541C5	1FCED104C365B47F6908DE4F52AB241D80A9B3DE	9F45A201B3D383D2418E5007CBDC4FB764AC0EC8E50FA5002AA40F633ECF1CB8
C:\Windows\Installer\MSI7195.tmp	PE32 executable (DLL) (console) Intel 80386, for MS Windows	85221B3BCBA8DBE4B4A46581AA49F760	746645C92594BFC739F77812D67CFD85F4B92474	F6E34A4550E499346F5AB1D245508F16BF765FF24C4988984B89E049CA55737F
C:\Windows\Installer\MSI7204.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	58C97608EBD9CD718D2ACC1EA59ADBF3	62BE1256C0F2F693267584794C384C0EDE9CB1B5	7995B25B1B505FA1FD426BDE4AF52F28B0734AEE317F7F9F4384E8BBD258721B
C:\Windows\Installer\MSI738B.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	58C97608EBD9CD718D2ACC1EA59ADBF3	62BE1256C0F2F693267584794C384C0EDE9CB1B5	7995B25B1B505FA1FD426BDE4AF52F28B0734AEE317F7F9F4384E8BBD258721B
C:\Windows\Installer\SourceHash{95120000-00B9-0409-0000-0000000FF1CE}	Composite Document File V2 Document, Cannot read section info	FE14EEE674146054E8BDDA17C39C2EF3	05BA549B0B1FF068496C0CA82A1D87D269323BC9	0D6635B4EE092090EB6249F51BDEE6D71B64D590F5C69E90C97E02B696ECAA7C
C:\Windows\Installer\inprogressinstallinfo.ipi	Composite Document File V2 Document, Cannot read section info	ED71336625207805875A50181A0EB02E	EB8D55FFB80C05603B0614ABC270AB46103B146F	07CAF072E508ACBFB51CF678E0113A51101579D0D6690594CCF7ED4DEF6CE85A
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	794BFF83437E9D766DDCDA7EAF5335B5	D1583E9E708F685F5EB0CD55DD3E2CD363200979	4BF0F3F7EF52B035C30744B20B84054EA5908045F8FDA4139E075EB99769C370
C:\Windows\Temp\~DF04986A27EF2EDB8C.TMP	data	980B9245ADBD8118880A58FC9F86D132	8A24F9F4C3D26235E28AEE724AA99A343D49CACB	94A90873F0774EDB17EA19791590884EE3ACE367B797EF6D9370D37BA8F49327
C:\Windows\Temp\~DF5BEF3F78EDE40078.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DF66D803FE7697B449.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DF716BFC04081639DB.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DF7301E52B3BD21423.TMP	Composite Document File V2 Document, Cannot read section info	7A7B091CF55BAAA092820C91C4FF8714	684A502F1EA929C20B7725165ABC4E0945D2BE47	6DC7258D4BF4BCB4F6CF8D958B0B778FCEAB37833AC82F0279BB64232BAB79AC
C:\Windows\Temp\~DF9522B2AC5C30865D.TMP	Composite Document File V2 Document, Cannot read section info	7A7B091CF55BAAA092820C91C4FF8714	684A502F1EA929C20B7725165ABC4E0945D2BE47	6DC7258D4BF4BCB4F6CF8D958B0B778FCEAB37833AC82F0279BB64232BAB79AC
C:\Windows\Temp\~DFE958ECDC27330956.TMP	data	7F29D15DB24DD3D58216D9A113E0DE10	7B1728587F856C59FCAC3A9D494DD0198049D974	ECB6FBC1459CFA5A47852B7DDD3F59E5736C754B74C327765919079EDF9BC9A7
C:\Windows\Temp\~DFFFC4750B55285911.TMP	Composite Document File V2 Document, Cannot read section info	ED71336625207805875A50181A0EB02E	EB8D55FFB80C05603B0614ABC270AB46103B146F	07CAF072E508ACBFB51CF678E0113A51101579D0D6690594CCF7ED4DEF6CE85A
C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcm80.dll	PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	CDCC63E967D64ECE3729246720AF4FCC	856ABCCDACD3B0C78A57158505AE9B9EFE2110EC	C75E2F91A7B2032D3757EEAC12502112381E0CB6F0E6E308ADC74AC30C8A7EC7
C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcp80.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	2BC650257FB0867ABD54FD460EC2BAFC	EC063526AA14BCADEEFFA6D859B39A80680015B7	9FC2E85BA84CF0459AAB0DC2EFAC734AD7B5B4C99BA19871FE8F6E35D0191838
C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcr80.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	16D7DDF3B659F7CF1CB9F4DCFF4219F0	A61454131940799F01C26943F1594EE6E7409D11	120CD25F5D6002FFD9069CF9550BC16C682BCD3323053B95146E7CD3BA2215AC
C:\Windows\WinSxS\InstallTemp\20240418183627404.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.cat	data	FABF51CADF6DDC1695CDC1D069F5A324	75A6F0F26D0C80EECAC1249C9EDD582CA6241D83	935DF4549E21123A2EFB986A707F54475380A037519679510E4B4DFC4BDB5767
C:\Windows\WinSxS\InstallTemp\20240418183627404.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.manifest	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (504), with CRLF line terminators	953B7388B958713EE9F48D3C5FD733FA	AAD058A907479040C91EE3569DC3EB9815B02179	B19C81F6BBBD4A0F0A1C50283D83BD4CBE6BEB596FB0A0B9181510F0B31FA787
C:\Windows\WinSxS\InstallTemp\20240418183627498.0\8.0.50727.42.cat	data	72B2B74CF17E5531EFD282A5CBC215AF	7E93B6F5715FEE7B54C52C2BFAD414906B945CD2	BD83DCE340498E7C363093C2FC74DFB58E1EC17770453905172C7471FADD9333
C:\Windows\WinSxS\InstallTemp\20240418183627498.0\8.0.50727.42.policy	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	374B0D45B489E08CBB2EB0A67FE1CCA7	1391E86FE58F47508BE68822A0864373BDAE85FB	BE71C90AF2022043CB1AA66A364A416CB7E0106EC20D29260A0A6E45A650E850

Windows Analysis Report VS80sp1-KB954961-X86-INTL.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Signatures

Compliance

Spreading

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
VS80sp1-KB954961-X86-INTL.exe