Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
9Fat24-jfN6-5Skq7-T70.msi

Overview

General Information

Sample name:9Fat24-jfN6-5Skq7-T70.msi
Analysis ID:1634711
MD5:bbe61989cb02e4a219c4115b57ac425c
SHA1:5408c7e2062ace494c1e7bb27f76fe4c8facebfe
SHA256:fb477e206a129bb9273943e1196083158caf69379317c53dbf3b5b7833731618
Tags:msiuser-Porcupine
Infos:

Detection

Score:88
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Joe Sandbox ML detected suspicious sample
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Uses shutdown.exe to shutdown or reboot the system
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Msiexec Initiated Connection
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Execution of Shutdown
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 7624 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\9Fat24-jfN6-5Skq7-T70.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 7700 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7832 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 7B223A5F3BAF084A30462523A41564DC MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • shutdown.exe (PID: 3192 cmdline: "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 20 MD5: FCDE5AF99B82AE6137FB90C7571D40C3)
        • conhost.exe (PID: 2172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • pHVoKupt@@.exe (PID: 7892 cmdline: "C:\Users\Public\iDfEDtqG\pHVoKupt@@.exe" MD5: 332B06DAEAA5CD1CB6E2988E5BCE38B8)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\iDfEDtqG\iDfEDtqG.bmpMALWARE_Win_StormKittyDetects StormKitty infostealerditekSHen
  • 0x498:$x2: https://github.com/LimerBoy/StormKitty
  • 0x4b4:$x3: StormKitty

Unpacked PEs

SourceRuleDescriptionAuthorStrings
12.2.pHVoKupt@@.exe.70880000.1.unpackMALWARE_Win_StormKittyDetects StormKitty infostealerditekSHen
  • 0x498:$x2: https://github.com/LimerBoy/StormKitty
  • 0x4b4:$x3: StormKitty
12.2.pHVoKupt@@.exe.7d0000.0.unpackMALWARE_Win_StormKittyDetects StormKitty infostealerditekSHen
  • 0x498:$x2: https://github.com/LimerBoy/StormKitty
  • 0x4b4:$x3: StormKitty

Sigma Signatures

System Summary

barindex
Sigma detected: Execution from Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\iDfEDtqG\pHVoKupt@@.exe" , CommandLine: "C:\Users\Public\iDfEDtqG\pHVoKupt@@.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exe, NewProcessName: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exe, OriginalFileName: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: "C:\Users\Public\iDfEDtqG\pHVoKupt@@.exe" , ProcessId: 7892, ProcessName: pHVoKupt@@.exe
Sigma detected: Suspicious Program Location with Network Connections
Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 24.152.38.223, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exe, Initiated: true, ProcessId: 7892, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49724
Sigma detected: Msiexec Initiated Connection
Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 43.135.205.247, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7832, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49716
Sigma detected: Startup Folder File Write
Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\SysWOW64\msiexec.exe, ProcessId: 7832, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iDfEDtqG.lnk
Sigma detected: Suspicious Execution of Shutdown
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 20, CommandLine: "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 20, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\shutdown.exe, NewProcessName: C:\Windows\SysWOW64\shutdown.exe, OriginalFileName: C:\Windows\SysWOW64\shutdown.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 7B223A5F3BAF084A30462523A41564DC, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7832, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 20, ProcessId: 3192, ProcessName: shutdown.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-11T03:51:07.549426+010020198231Exploit Kit Activity Detected43.135.205.247443192.168.2.449716TCP
2025-03-11T03:51:11.054674+010020198231Exploit Kit Activity Detected43.135.205.247443192.168.2.449717TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-11T03:51:06.725366+010020283713Unknown Traffic192.168.2.44971643.135.205.247443TCP
2025-03-11T03:51:10.503142+010020283713Unknown Traffic192.168.2.44971743.135.205.247443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-11T03:51:07.549426+010020226531A Network Trojan was detected43.135.205.247443192.168.2.449716TCP
2025-03-11T03:51:11.054674+010020226531A Network Trojan was detected43.135.205.247443192.168.2.449717TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://pimblinbolim-1343231589.cos.sa-saopaulo.myqcloud.com/castanha.bmpAvira URL Cloud: Label: malware
Source: https://pimblinbolim-1343231589.cos.sa-saopaulo.myqcloud.com/carros.bmpAvira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: 9Fat24-jfN6-5Skq7-T70.msiVirustotal: Detection: 8%Perma Link
Joe Sandbox ML detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: unknownHTTPS traffic detected: 43.135.205.247:443 -> 192.168.2.4:49716 version: TLS 1.2
Source: unknownHTTPS traffic detected: 43.135.205.247:443 -> 192.168.2.4:49717 version: TLS 1.2
Source: Binary string: wininet.pdb source: shi8DB1.tmp.3.dr
Source: Binary string: C:\JobRelease\win\Release\bin\x86\embeddeduiproxy.pdb source: 9Fat24-jfN6-5Skq7-T70.msi, 4a8a75.msi.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: 9Fat24-jfN6-5Skq7-T70.msi, 4a8a75.msi.2.dr, MSI8D86.tmp.2.dr
Source: Binary string: d3d12.pdbUGP source: shi8E4E.tmp.3.dr
Source: Binary string: d3d12.pdb source: shi8E4E.tmp.3.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb\ source: 9Fat24-jfN6-5Skq7-T70.msi, 4a8a75.msi.2.dr, MSI8D86.tmp.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdbu source: 9Fat24-jfN6-5Skq7-T70.msi, MSI8C1B.tmp.2.dr, 4a8a75.msi.2.dr, MSI9CAB.tmp.2.dr, MSIA1CE.tmp.2.dr, MSI9C7B.tmp.2.dr, MSIF203.tmp.2.dr
Source: Binary string: wininet.pdbUGP source: shi8DB1.tmp.3.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdb source: 9Fat24-jfN6-5Skq7-T70.msi, MSI8C1B.tmp.2.dr, 4a8a75.msi.2.dr, MSI9CAB.tmp.2.dr, MSIA1CE.tmp.2.dr, MSI9C7B.tmp.2.dr, MSIF203.tmp.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: 9Fat24-jfN6-5Skq7-T70.msi, MSIA0E2.tmp.2.dr, MSI8CD7.tmp.2.dr, 4a8a75.msi.2.dr, MSI8D07.tmp.2.dr, MSI8D66.tmp.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbg source: 9Fat24-jfN6-5Skq7-T70.msi, MSIA0E2.tmp.2.dr, MSI8CD7.tmp.2.dr, 4a8a75.msi.2.dr, MSI8D07.tmp.2.dr, MSI8D66.tmp.2.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2019823 - Severity 1 - ET EXPLOIT_KIT WinHttpRequest Downloading EXE Non-Port 80 (Likely Exploit Kit) : 43.135.205.247:443 -> 192.168.2.4:49717
Source: Network trafficSuricata IDS: 2022653 - Severity 1 - ET MALWARE Likely Evil EXE download from WinHttpRequest non-exe extension : 43.135.205.247:443 -> 192.168.2.4:49717
Source: Network trafficSuricata IDS: 2019823 - Severity 1 - ET EXPLOIT_KIT WinHttpRequest Downloading EXE Non-Port 80 (Likely Exploit Kit) : 43.135.205.247:443 -> 192.168.2.4:49716
Source: Network trafficSuricata IDS: 2022653 - Severity 1 - ET MALWARE Likely Evil EXE download from WinHttpRequest non-exe extension : 43.135.205.247:443 -> 192.168.2.4:49716
Source: Joe Sandbox ViewIP Address: 43.135.205.247 43.135.205.247
Source: Joe Sandbox ViewASN Name: MasterDaWebBR MasterDaWebBR
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49716 -> 43.135.205.247:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49717 -> 43.135.205.247:443
Source: global trafficHTTP traffic detected: GET /carros.bmp HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pimblinbolim-1343231589.cos.sa-saopaulo.myqcloud.com
Source: global trafficHTTP traffic detected: GET /castanha.bmp HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pimblinbolim-1343231589.cos.sa-saopaulo.myqcloud.com
Source: unknownTCP traffic detected without corresponding DNS query: 24.152.38.223
Source: unknownTCP traffic detected without corresponding DNS query: 24.152.38.223
Source: unknownTCP traffic detected without corresponding DNS query: 24.152.38.223
Source: unknownTCP traffic detected without corresponding DNS query: 24.152.38.223
Source: unknownTCP traffic detected without corresponding DNS query: 24.152.38.223
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /carros.bmp HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pimblinbolim-1343231589.cos.sa-saopaulo.myqcloud.com
Source: global trafficHTTP traffic detected: GET /castanha.bmp HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pimblinbolim-1343231589.cos.sa-saopaulo.myqcloud.com
Source: global trafficHTTP traffic detected: GET /TR/index.php?VS=4.0&PL=Windows%20Defender.&AN=NAO HTTP/1.1User-Agent: "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36"Host: 24.152.38.223Connection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: pimblinbolim-1343231589.cos.sa-saopaulo.myqcloud.com
Source: global trafficDNS traffic detected: DNS query: c.pki.goog
Source: global trafficDNS traffic detected: DNS query: collect.installeranalytics.com
Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvinstAnalytics/1.0 (Microsoft Windows NT 10.0.19045 ; x64)Host: collect.installeranalytics.comContent-Length: 165Cache-Control: no-cache
Source: shi8DB1.tmp.3.drString found in binary or memory: http://.css
Source: shi8DB1.tmp.3.drString found in binary or memory: http://.jpg
Source: pHVoKupt@@.exe, 0000000C.00000002.2453015033.0000021200141000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://24.152.38.223
Source: pHVoKupt@@.exe, 0000000C.00000002.2453015033.0000021200001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://24.152.38.223/TR/index.php
Source: pHVoKupt@@.exe, 0000000C.00000002.2453015033.0000021200001000.00000004.00000800.00020000.00000000.sdmp, pHVoKupt@@.exe, 0000000C.00000002.2459017599.000002126EC77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://24.152.38.223/TR/index.php?VS=4.0&PL=Windows
Source: pHVoKupt@@.exe, 0000000C.00000002.2453015033.0000021200001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://24.152.38.223/TR/index.php?VS=4.0&PL=Windows%20Defender.&AN=NAO
Source: 9Fat24-jfN6-5Skq7-T70.msi, MSIA0E2.tmp.2.dr, MSI8C1B.tmp.2.dr, MSI8CD7.tmp.2.dr, 4a8a75.msi.2.dr, MSI9CAB.tmp.2.dr, MSI8D86.tmp.2.dr, MSI8D07.tmp.2.dr, MSIA1CE.tmp.2.dr, MSI8D66.tmp.2.dr, MSI9C7B.tmp.2.dr, MSIF203.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 9Fat24-jfN6-5Skq7-T70.msi, MSIA0E2.tmp.2.dr, MSI8C1B.tmp.2.dr, MSI8CD7.tmp.2.dr, 4a8a75.msi.2.dr, MSI9CAB.tmp.2.dr, MSI8D86.tmp.2.dr, MSI8D07.tmp.2.dr, MSIA1CE.tmp.2.dr, MSI8D66.tmp.2.dr, MSI9C7B.tmp.2.dr, MSIF203.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 9Fat24-jfN6-5Skq7-T70.msi, MSI8C1B.tmp.2.dr, 4a8a75.msi.2.dr, MSI9CAB.tmp.2.dr, MSIA1CE.tmp.2.dr, MSI9C7B.tmp.2.dr, MSIF203.tmp.2.drString found in binary or memory: http://collect.installeranalytics.com
Source: 9Fat24-jfN6-5Skq7-T70.msi, MSIA0E2.tmp.2.dr, MSI8C1B.tmp.2.dr, MSI8CD7.tmp.2.dr, 4a8a75.msi.2.dr, MSI9CAB.tmp.2.dr, MSI8D86.tmp.2.dr, MSI8D07.tmp.2.dr, MSIA1CE.tmp.2.dr, MSI8D66.tmp.2.dr, MSI9C7B.tmp.2.dr, MSIF203.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 9Fat24-jfN6-5Skq7-T70.msi, MSIA0E2.tmp.2.dr, MSI8C1B.tmp.2.dr, MSI8CD7.tmp.2.dr, 4a8a75.msi.2.dr, MSI9CAB.tmp.2.dr, MSI8D86.tmp.2.dr, MSI8D07.tmp.2.dr, MSIA1CE.tmp.2.dr, MSI8D66.tmp.2.dr, MSI9C7B.tmp.2.dr, MSIF203.tmp.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 9Fat24-jfN6-5Skq7-T70.msi, MSIA0E2.tmp.2.dr, MSI8C1B.tmp.2.dr, MSI8CD7.tmp.2.dr, 4a8a75.msi.2.dr, MSI9CAB.tmp.2.dr, MSI8D86.tmp.2.dr, MSI8D07.tmp.2.dr, MSIA1CE.tmp.2.dr, MSI8D66.tmp.2.dr, MSI9C7B.tmp.2.dr, MSIF203.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 9Fat24-jfN6-5Skq7-T70.msi, MSIA0E2.tmp.2.dr, MSI8C1B.tmp.2.dr, MSI8CD7.tmp.2.dr, 4a8a75.msi.2.dr, MSI9CAB.tmp.2.dr, MSI8D86.tmp.2.dr, MSI8D07.tmp.2.dr, MSIA1CE.tmp.2.dr, MSI8D66.tmp.2.dr, MSI9C7B.tmp.2.dr, MSIF203.tmp.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: shi8DB1.tmp.3.drString found in binary or memory: http://html4/loose.dtd
Source: 9Fat24-jfN6-5Skq7-T70.msi, MSIA0E2.tmp.2.dr, MSI8C1B.tmp.2.dr, MSI8CD7.tmp.2.dr, 4a8a75.msi.2.dr, MSI9CAB.tmp.2.dr, MSI8D86.tmp.2.dr, MSI8D07.tmp.2.dr, MSIA1CE.tmp.2.dr, MSI8D66.tmp.2.dr, MSI9C7B.tmp.2.dr, MSIF203.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0C
Source: 9Fat24-jfN6-5Skq7-T70.msi, MSIA0E2.tmp.2.dr, MSI8C1B.tmp.2.dr, MSI8CD7.tmp.2.dr, 4a8a75.msi.2.dr, MSI9CAB.tmp.2.dr, MSI8D86.tmp.2.dr, MSI8D07.tmp.2.dr, MSIA1CE.tmp.2.dr, MSI8D66.tmp.2.dr, MSI9C7B.tmp.2.dr, MSIF203.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0O
Source: pHVoKupt@@.exe, 0000000C.00000002.2453015033.0000021200001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 9Fat24-jfN6-5Skq7-T70.msi, MSIA0E2.tmp.2.dr, MSI8C1B.tmp.2.dr, MSI8CD7.tmp.2.dr, 4a8a75.msi.2.dr, MSI9CAB.tmp.2.dr, MSI8D86.tmp.2.dr, MSI8D07.tmp.2.dr, MSIA1CE.tmp.2.dr, MSI8D66.tmp.2.dr, MSI9C7B.tmp.2.dr, MSIF203.tmp.2.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: 9Fat24-jfN6-5Skq7-T70.msi, MSIA0E2.tmp.2.dr, MSI8C1B.tmp.2.dr, MSI8CD7.tmp.2.dr, 4a8a75.msi.2.dr, MSI9CAB.tmp.2.dr, MSI8D86.tmp.2.dr, MSI8D07.tmp.2.dr, MSIA1CE.tmp.2.dr, MSI8D66.tmp.2.dr, MSI9C7B.tmp.2.dr, MSIF203.tmp.2.drString found in binary or memory: http://t2.symcb.com0
Source: 9Fat24-jfN6-5Skq7-T70.msi, MSIA0E2.tmp.2.dr, MSI8C1B.tmp.2.dr, MSI8CD7.tmp.2.dr, 4a8a75.msi.2.dr, MSI9CAB.tmp.2.dr, MSI8D86.tmp.2.dr, MSI8D07.tmp.2.dr, MSIA1CE.tmp.2.dr, MSI8D66.tmp.2.dr, MSI9C7B.tmp.2.dr, MSIF203.tmp.2.drString found in binary or memory: http://tl.symcb.com/tl.crl0
Source: 9Fat24-jfN6-5Skq7-T70.msi, MSIA0E2.tmp.2.dr, MSI8C1B.tmp.2.dr, MSI8CD7.tmp.2.dr, 4a8a75.msi.2.dr, MSI9CAB.tmp.2.dr, MSI8D86.tmp.2.dr, MSI8D07.tmp.2.dr, MSIA1CE.tmp.2.dr, MSI8D66.tmp.2.dr, MSI9C7B.tmp.2.dr, MSIF203.tmp.2.drString found in binary or memory: http://tl.symcb.com/tl.crt0
Source: 9Fat24-jfN6-5Skq7-T70.msi, MSIA0E2.tmp.2.dr, MSI8C1B.tmp.2.dr, MSI8CD7.tmp.2.dr, 4a8a75.msi.2.dr, MSI9CAB.tmp.2.dr, MSI8D86.tmp.2.dr, MSI8D07.tmp.2.dr, MSIA1CE.tmp.2.dr, MSI8D66.tmp.2.dr, MSI9C7B.tmp.2.dr, MSIF203.tmp.2.drString found in binary or memory: http://tl.symcd.com0&
Source: 9Fat24-jfN6-5Skq7-T70.msi, MSIA0E2.tmp.2.dr, MSI8C1B.tmp.2.dr, MSI8CD7.tmp.2.dr, 4a8a75.msi.2.dr, MSI9CAB.tmp.2.dr, MSI8D86.tmp.2.dr, MSI8D07.tmp.2.dr, MSIA1CE.tmp.2.dr, MSI8D66.tmp.2.dr, MSI9C7B.tmp.2.dr, MSIF203.tmp.2.drString found in binary or memory: http://www.digicert.com/CPS0
Source: 9Fat24-jfN6-5Skq7-T70.msi, MSI8C1B.tmp.2.dr, 4a8a75.msi.2.dr, MSI9CAB.tmp.2.dr, MSIA1CE.tmp.2.dr, MSI9C7B.tmp.2.dr, MSIF203.tmp.2.drString found in binary or memory: https://collect.installeranalytics.com
Source: 9Fat24-jfN6-5Skq7-T70.msi, MSI8C1B.tmp.2.dr, 4a8a75.msi.2.dr, MSI9CAB.tmp.2.dr, MSIA1CE.tmp.2.dr, MSI9C7B.tmp.2.dr, MSIF203.tmp.2.drString found in binary or memory: https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic
Source: pHVoKupt@@.exe, 0000000C.00000002.2453015033.000002120017A000.00000004.00000800.00020000.00000000.sdmp, pHVoKupt@@.exe, 0000000C.00000002.2451613893.00000000007D2000.00000020.00000001.01000000.00000007.sdmp, iDfEDtqG.bmp.3.drString found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: pHVoKupt@@.exe, 0000000C.00000000.1528976981.00007FF6BF033000.00000002.00000001.01000000.00000006.sdmp, pHVoKupt.bmp.3.drString found in binary or memory: https://github.com/dotnet/corefx/tree/53eb6703edaf54d3b3f8eb2911325824b010049b
Source: 9Fat24-jfN6-5Skq7-T70.msi, MSIA0E2.tmp.2.dr, MSI8C1B.tmp.2.dr, MSI8CD7.tmp.2.dr, 4a8a75.msi.2.dr, MSI9CAB.tmp.2.dr, MSI8D86.tmp.2.dr, MSI8D07.tmp.2.dr, MSIA1CE.tmp.2.dr, MSI8D66.tmp.2.dr, MSI9C7B.tmp.2.dr, MSIF203.tmp.2.drString found in binary or memory: https://www.advancedinstaller.com
Source: 9Fat24-jfN6-5Skq7-T70.msi, MSIA0E2.tmp.2.dr, MSI8C1B.tmp.2.dr, MSI8CD7.tmp.2.dr, 4a8a75.msi.2.dr, MSI9CAB.tmp.2.dr, MSI8D86.tmp.2.dr, MSI8D07.tmp.2.dr, MSIA1CE.tmp.2.dr, MSI8D66.tmp.2.dr, MSI9C7B.tmp.2.dr, MSIF203.tmp.2.drString found in binary or memory: https://www.digicert.com/CPS0
Source: 9Fat24-jfN6-5Skq7-T70.msi, MSIA0E2.tmp.2.dr, MSI8C1B.tmp.2.dr, MSI8CD7.tmp.2.dr, 4a8a75.msi.2.dr, MSI9CAB.tmp.2.dr, MSI8D86.tmp.2.dr, MSI8D07.tmp.2.dr, MSIA1CE.tmp.2.dr, MSI8D66.tmp.2.dr, MSI9C7B.tmp.2.dr, MSIF203.tmp.2.drString found in binary or memory: https://www.thawte.com/cps0/
Source: 9Fat24-jfN6-5Skq7-T70.msi, MSIA0E2.tmp.2.dr, MSI8C1B.tmp.2.dr, MSI8CD7.tmp.2.dr, 4a8a75.msi.2.dr, MSI9CAB.tmp.2.dr, MSI8D86.tmp.2.dr, MSI8D07.tmp.2.dr, MSIA1CE.tmp.2.dr, MSI8D66.tmp.2.dr, MSI9C7B.tmp.2.dr, MSIF203.tmp.2.drString found in binary or memory: https://www.thawte.com/repository0W
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownHTTPS traffic detected: 43.135.205.247:443 -> 192.168.2.4:49716 version: TLS 1.2
Source: unknownHTTPS traffic detected: 43.135.205.247:443 -> 192.168.2.4:49717 version: TLS 1.2

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 12.2.pHVoKupt@@.exe.70880000.1.unpack, type: UNPACKEDPEMatched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 12.2.pHVoKupt@@.exe.7d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects StormKitty infostealer Author: ditekSHen
Source: C:\Users\Public\iDfEDtqG\iDfEDtqG.bmp, type: DROPPEDMatched rule: Detects StormKitty infostealer Author: ditekSHen
Uses shutdown.exe to shutdown or reboot the system
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 20
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4a8a75.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8C1B.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8CD7.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8D07.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8D66.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8D86.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9C7B.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9CAB.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA0E2.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA1CE.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{04E55C8B-1ACF-4F51-A29A-F6B19C021DD5}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA21D.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF203.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI8C1B.tmpJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeCode function: 12_2_00007FFC3C74CEA812_2_00007FFC3C74CEA8
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeCode function: 12_2_00007FFC3C74CEC812_2_00007FFC3C74CEC8
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeCode function: 12_2_00007FFC3C74A16212_2_00007FFC3C74A162
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeCode function: 12_2_00007FFC3C7493B612_2_00007FFC3C7493B6
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeCode function: 12_2_00007FFC3C75C86912_2_00007FFC3C75C869
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeCode function: 12_2_00007FFC3C74EAFA12_2_00007FFC3C74EAFA
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeCode function: 12_2_00007FFC3C74045312_2_00007FFC3C740453
Source: 9Fat24-jfN6-5Skq7-T70.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs 9Fat24-jfN6-5Skq7-T70.msi
Source: 9Fat24-jfN6-5Skq7-T70.msiBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs 9Fat24-jfN6-5Skq7-T70.msi
Source: 9Fat24-jfN6-5Skq7-T70.msiBinary or memory string: OriginalFilenameInstallerAnalytics.dllF vs 9Fat24-jfN6-5Skq7-T70.msi
Source: 9Fat24-jfN6-5Skq7-T70.msiBinary or memory string: OriginalFilenameembeddeduiproxy.dllF vs 9Fat24-jfN6-5Skq7-T70.msi
Source: 12.2.pHVoKupt@@.exe.70880000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 12.2.pHVoKupt@@.exe.7d0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: C:\Users\Public\iDfEDtqG\iDfEDtqG.bmp, type: DROPPEDMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: shi8DB1.tmp.3.drBinary string: \Device\NameResTrk\RecordNrtCloneOpenPacket
Source: classification engineClassification label: mal88.rans.winMSI@8/32@3/3
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\AdvinstAnalyticsJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2172:120:WilError_03
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeMutant created: \Sessions\1\BaseNamedObjects\Lg/sKE1b7Bn51WoKLqIhF/JN3d2cA0AiTDl/gUrq/FUZ+az0Gr/MQGBczKLel3tj
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF3F27CD08596F0B46.TMPJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\PayloadJump to behavior
Source: 9Fat24-jfN6-5Skq7-T70.msiVirustotal: Detection: 8%
Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\9Fat24-jfN6-5Skq7-T70.msi"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7B223A5F3BAF084A30462523A41564DC
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 20
Source: C:\Windows\SysWOW64\shutdown.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exe "C:\Users\Public\iDfEDtqG\pHVoKupt@@.exe"
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7B223A5F3BAF084A30462523A41564DCJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 20Jump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: jscript.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttpcom.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msdart.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\shutdown.exeSection loaded: shutdownext.dllJump to behavior
Source: C:\Windows\SysWOW64\shutdown.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeSection loaded: luo painter.dllJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeSection loaded: version.dllJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeSection loaded: rasman.dllJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
Source: iDfEDtqG.lnk.3.drLNK file: ..\..\..\..\..\..\..\..\Public\iDfEDtqG\pHVoKupt@@.exe
Source: C:\Windows\SysWOW64\msiexec.exeFile written: C:\Users\user\AppData\Local\AdvinstAnalytics\67cdf0484512a1c62dc03a6e\1.0.0\tracking.iniJump to behavior
Source: 9Fat24-jfN6-5Skq7-T70.msiStatic file information: File size 5244588 > 1048576
Source: Binary string: wininet.pdb source: shi8DB1.tmp.3.dr
Source: Binary string: C:\JobRelease\win\Release\bin\x86\embeddeduiproxy.pdb source: 9Fat24-jfN6-5Skq7-T70.msi, 4a8a75.msi.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: 9Fat24-jfN6-5Skq7-T70.msi, 4a8a75.msi.2.dr, MSI8D86.tmp.2.dr
Source: Binary string: d3d12.pdbUGP source: shi8E4E.tmp.3.dr
Source: Binary string: d3d12.pdb source: shi8E4E.tmp.3.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb\ source: 9Fat24-jfN6-5Skq7-T70.msi, 4a8a75.msi.2.dr, MSI8D86.tmp.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdbu source: 9Fat24-jfN6-5Skq7-T70.msi, MSI8C1B.tmp.2.dr, 4a8a75.msi.2.dr, MSI9CAB.tmp.2.dr, MSIA1CE.tmp.2.dr, MSI9C7B.tmp.2.dr, MSIF203.tmp.2.dr
Source: Binary string: wininet.pdbUGP source: shi8DB1.tmp.3.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdb source: 9Fat24-jfN6-5Skq7-T70.msi, MSI8C1B.tmp.2.dr, 4a8a75.msi.2.dr, MSI9CAB.tmp.2.dr, MSIA1CE.tmp.2.dr, MSI9C7B.tmp.2.dr, MSIF203.tmp.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: 9Fat24-jfN6-5Skq7-T70.msi, MSIA0E2.tmp.2.dr, MSI8CD7.tmp.2.dr, 4a8a75.msi.2.dr, MSI8D07.tmp.2.dr, MSI8D66.tmp.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbg source: 9Fat24-jfN6-5Skq7-T70.msi, MSIA0E2.tmp.2.dr, MSI8CD7.tmp.2.dr, 4a8a75.msi.2.dr, MSI8D07.tmp.2.dr, MSI8D66.tmp.2.dr
Source: shi8E4E.tmp.3.drStatic PE information: 0x96D7AA59 [Sat Mar 12 16:44:09 2050 UTC]
Source: shi8DB1.tmp.3.drStatic PE information: section name: .wpp_sf
Source: shi8DB1.tmp.3.drStatic PE information: section name: .didat
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeCode function: 12_2_00007FFC3C74ADD0 pushad ; iretd 12_2_00007FFC3C74ADDD
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeCode function: 12_2_00007FFC3C7400BD pushad ; iretd 12_2_00007FFC3C7400C1
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeCode function: 12_2_00007FFC3C74BA40 push eax; retf 3C81h12_2_00007FFC3C74BB11
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8D86.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9CAB.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8C1B.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exe (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8D07.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\Public\iDfEDtqG\pHVoKupt.bmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\shi8E4E.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF203.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\shi8DB1.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9C7B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8D66.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\Public\iDfEDtqG\iDfEDtqG.bmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA1CE.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA0E2.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8CD7.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\Public\iDfEDtqG\Luo Painter.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8D86.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9CAB.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8C1B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8D07.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF203.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9C7B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8D66.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA1CE.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA0E2.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8CD7.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\Public\iDfEDtqG\pHVoKupt.bmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\Public\iDfEDtqG\iDfEDtqG.bmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iDfEDtqG.lnkJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iDfEDtqG.lnkJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeMemory allocated: 2126C970000 memory reserve | memory write watchJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeMemory allocated: 2126E4B0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeWindow / User API: threadDelayed 2817Jump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeWindow / User API: threadDelayed 6538Jump to behavior
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8D86.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9CAB.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8C1B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8D07.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi8E4E.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF203.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi8DB1.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\Public\iDfEDtqG\iDfEDtqG.bmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8D66.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9C7B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA1CE.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8CD7.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA0E2.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe TID: 2552Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exe TID: 3172Thread sleep count: 32 > 30Jump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exe TID: 3172Thread sleep time: -29514790517935264s >= -30000sJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exe TID: 5096Thread sleep count: 2817 > 30Jump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exe TID: 5096Thread sleep count: 6538 > 30Jump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exe TID: 3172Thread sleep count: 159 > 30Jump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exe TID: 3172Thread sleep count: 288 > 30Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\SysWOW64\msiexec.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: MSI8D86.tmp.2.drBinary or memory string: 01234567890.0.0.0.%dVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IROOT\CIMV2SELECT * FROM Win32_ComputerSystemSELECT * FROM Win32_BIOSManufacturerModelVersionGetting system informationManufacturer [Model [BIOS [IsWow64Processkernel32Software\Microsoft\Windows NT\CurrentVersionSYSTEM\CurrentControlSet\Control\ProductOptionsCurrentMajorVersionNumberCurrentMinorVersionNumberCurrentVersionCurrentBuildNumberReleaseIdCSDVersionProductTypeProductSuiteWinNTServerNTSmall BusinessEnterpriseBackOfficeCommunicationServerTerminal ServerSmall Business(Restricted)EmbeddedNTDataCenterPersonalBladeEmbedded(Restricted)Security ApplianceStorage ServerCompute Server Failed to create IWbemLocator object. Error code: \\Could not connect to WMI provider. Error code: Failed to initialize security. Error code: Could not set proxy blanket. Error code: WQLWMI Query failed: []. Error code:
Source: pHVoKupt@@.exe, 0000000C.00000002.2459017599.000002126EC70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 20Jump to behavior
Source: pHVoKupt@@.exe, 0000000C.00000002.2453015033.0000021200270000.00000004.00000800.00020000.00000000.sdmp, pHVoKupt@@.exe, 0000000C.00000002.2453015033.000002120017A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeQueries volume information: C:\Users\Public\iDfEDtqG\Luo Painter.dll VolumeInformationJump to behavior
Source: C:\Users\Public\iDfEDtqG\pHVoKupt@@.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: pHVoKupt@@.exe, 0000000C.00000002.2457290846.000002126CAD1000.00000004.00000020.00020000.00000000.sdmp, pHVoKupt@@.exe, 0000000C.00000002.2457290846.000002126CB0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Windows\SysWOW64\msiexec.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		3
Windows Management Instrumentation		2
Registry Run Keys / Startup Folder		12
Process Injection		31
Masquerading		OS Credential Dumping31
Security Software Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		2
Registry Run Keys / Startup Folder		1
Disable or Modify Tools		LSASS Memory2
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		41
Virtualization/Sandbox Evasion		Security Account Manager41
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture14
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets11
Peripheral Device Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Timestomp		Cached Domain Credentials2
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSync33
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
File Deletion		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1634711 Sample: 9Fat24-jfN6-5Skq7-T70.msi Startdate: 11/03/2025 Architecture: WINDOWS Score: 88 46 pki-goog.l.google.com 2->46 48 pimblinbolim-1343231589.cos.sa-saopaulo.myqcloud.com 2->48 50 5 other IPs or domains 2->50 54 Suricata IDS alerts for network traffic 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for URL or domain 2->58 60 4 other signatures 2->60 9 msiexec.exe 3 23 2->9         started        12 pHVoKupt@@.exe 14 3 2->12         started        15 msiexec.exe 2 2->15         started        signatures3 process4 dnsIp5 34 C:\Windows\Installer\MSIF203.tmp, PE32 9->34 dropped 36 C:\Windows\Installer\MSIA1CE.tmp, PE32 9->36 dropped 38 C:\Windows\Installer\MSIA0E2.tmp, PE32 9->38 dropped 40 7 other files (none is malicious) 9->40 dropped 17 msiexec.exe 2 70 9->17         started        52 24.152.38.223, 49724, 80 MasterDaWebBR unknown 12->52 file6 process7 dnsIp8 42 cos.sa-saopaulo.myqcloud.com 43.135.205.247, 443, 49716, 49717 LILLY-ASUS Japan 17->42 44 collect.installeranalytics.com 3.220.101.116, 49723, 80 AMAZON-AESUS United States 17->44 26 C:\Users\user\AppData\Local\...\shi8E4E.tmp, PE32 17->26 dropped 28 C:\Users\user\AppData\Local\...\shi8DB1.tmp, PE32 17->28 dropped 30 C:\Users\Public\...\pHVoKupt@@.exe (copy), PE32+ 17->30 dropped 32 3 other files (none is malicious) 17->32 dropped 62 Uses shutdown.exe to shutdown or reboot the system 17->62 22 shutdown.exe 1 17->22         started        file9 signatures10 process11 process12 24 conhost.exe 22->24         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.