Loading ...

Play interactive tourEdit tour

Analysis Report 103WindowsAgentSetup.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:181832
Start date:10.10.2019
Start time:04:11:02
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 11m 0s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:103WindowsAgentSetup.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:41
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal44.spyw.evad.winEXE@121/44@4/1
EGA Information:
  • Successful, ratio: 75%
HDC Information:
  • Successful, ratio: 18.4% (good quality ratio 16.1%)
  • Quality average: 75.3%
  • Quality standard deviation: 34.5%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, CompatTelRunner.exe
  • Excluded IPs from analysis (whitelisted): 93.184.221.240, 205.185.216.10, 205.185.216.42, 8.248.113.254, 67.26.81.254, 8.241.121.126, 8.241.122.126, 8.253.95.120, 8.253.207.121, 8.248.119.254, 8.253.204.249, 8.248.117.254, 8.248.131.254, 8.241.123.126, 8.248.125.254, 8.248.141.254
  • Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, au.download.windowsupdate.com.hwcdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, auto.au.download.windowsupdate.com.c.footprint.net, wu.wpc.apr-52dd2.edgecastdns.net, wu.azureedge.net
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold440 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Replication Through Removable Media1Windows Management Instrumentation511Winlogon Helper DLLAccess Token Manipulation1Masquerading11Input Capture111System Time Discovery1Replication Through Removable Media1Input Capture111Data Encrypted12Standard Cryptographic Protocol22
Replication Through Removable MediaCommand-Line Interface1Port MonitorsProcess Injection1Disabling Security Tools1Network SniffingQuery Registry1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol2
Drive-by CompromiseExecution through API1Accessibility FeaturesPath InterceptionAccess Token Manipulation1Input CaptureProcess Discovery2Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol2
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection1Credentials in FilesPeripheral Device Discovery11Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessDeobfuscate/Decode Files or Information1Account ManipulationSecurity Software Discovery851Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information2Brute ForceRemote System Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskDLL Side-Loading1Two-Factor Authentication InterceptionFile and Directory Discovery2Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port
Supply Chain CompromiseThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistorySystem Information Discovery245Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer Protocol

Signature Overview

Click to jump to signature section


Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_004943D0 __EH_prolog3_GS,GetLastError,CryptCreateHash,GetLastError,CryptHashData,CryptHashData,CryptHashData,CryptSignHashW,CryptSignHashW,CryptSignHashW,GetLastError,GetLastError,WriteFile,WriteFile,WriteFile,2_2_004943D0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_004947EE __EH_prolog3_GS,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,CryptHashData,CryptHashData,GetLastError,_memmove,GetLastError,CryptVerifySignatureW,2_2_004947EE
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_00494D6A CryptReleaseContext,2_2_00494D6A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_00494DA2 CryptDestroyHash,2_2_00494DA2
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_00494DBC CryptDestroyKey,2_2_00494DBC
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_00494EED CryptExportKey,2_2_00494EED
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_00495170 CryptGetHashParam,GetLastError,CryptGetHashParam,2_2_00495170
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_0049532E CryptHashData,2_2_0049532E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_004953BA CryptImportKey,2_2_004953BA
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_00495444 __EH_prolog3_GS,CreateFileW,ReadFile,CryptCreateHash,ReadFile,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,ReadFile,CryptImportKey,GetLastError,GetLastError,2_2_00495444
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_00495760 CoCreateGuid,StringFromGUID2,_wcsncpy,CryptAcquireContextW,CryptCreateHash,2_2_00495760
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_00495AEF CryptGetHashParam,GetLastError,2_2_00495AEF
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_00495AF1 CryptGetHashParam,GetLastError,CryptSetHashParam,2_2_00495AF1
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_00495B7E CryptAcquireContextW,CryptReleaseContext,CryptDestroyHash,2_2_00495B7E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_00495EDD SetFilePointer,CryptSignHashW,GetLastError,CryptSignHashW,WriteFile,WriteFile,WriteFile,SetFilePointer,2_2_00495EDD
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_00495EAF CryptVerifySignatureW,GetLastError,2_2_00495EAF

Spreading:

barindex
Checks for available system drives (often done to infect USB drives)Show sources
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: c:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: a:Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeCode function: 0_2_0040372C GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,0_2_0040372C
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeCode function: 0_2_00403211 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,0_2_00403211
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_00436E81 __EH_prolog3_GS,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,2_2_00436E81

Networking:

barindex
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: nable.acshosted.com
Urls found in memory or binary dataShow sources
Source: msiexec.exe, 00000003.00000002.4894304362.0000000007870000.00000002.00000001.sdmp, msiexec.exe, 00000004.00000003.4580189133.0000000007506000.00000004.00000001.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: msiexec.exe, 00000003.00000002.4894304362.0000000007870000.00000002.00000001.sdmpString found in binary or memory: http://mms2.nobj.nable.com/
Source: msiexec.exe, 00000003.00000002.4894304362.0000000007870000.00000002.00000001.sdmpString found in binary or memory: http://mms2.nobj.nable.com/T
Source: msiexec.exe, 00000003.00000002.4894304362.0000000007870000.00000002.00000001.sdmpString found in binary or memory: http://mms2.nobj.nable.com/TU
Source: msiexec.exe, 00000003.00000002.4894304362.0000000007870000.00000002.00000001.sdmp, msiexec.exe, 00000004.00000003.4580189133.0000000007506000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.thawte.com0
Source: msiexec.exe, 00000003.00000002.4894304362.0000000007870000.00000002.00000001.sdmp, msiexec.exe, 00000004.00000003.4623646960.0000000007506000.00000004.00000001.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: msiexec.exe, 00000003.00000002.4894304362.0000000007870000.00000002.00000001.sdmp, msiexec.exe, 00000004.00000003.4623646960.0000000007506000.00000004.00000001.sdmpString found in binary or memory: http://s2.symcb.com0
Source: msiexec.exe, 00000003.00000002.4894304362.0000000007870000.00000002.00000001.sdmp, msiexec.exe, 00000004.00000003.4580189133.0000000007506000.00000004.00000001.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: msiexec.exe, 00000003.00000002.4894304362.0000000007870000.00000002.00000001.sdmp, msiexec.exe, 00000004.00000003.4623646960.0000000007506000.00000004.00000001.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: msiexec.exe, 00000003.00000002.4894304362.0000000007870000.00000002.00000001.sdmp, msiexec.exe, 00000004.00000003.4623646960.0000000007506000.00000004.00000001.sdmpString found in binary or memory: http://sv.symcd.com0&
Source: msiexec.exe, 00000003.00000002.4894304362.0000000007870000.00000002.00000001.sdmp, msiexec.exe, 00000004.00000003.4580189133.0000000007506000.00000004.00000001.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: msiexec.exe, 00000003.00000002.4894304362.0000000007870000.00000002.00000001.sdmp, msiexec.exe, 00000004.00000003.4580189133.0000000007506000.00000004.00000001.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: msiexec.exe, 00000003.00000002.4894304362.0000000007870000.00000002.00000001.sdmp, msiexec.exe, 00000004.00000003.4580189133.0000000007506000.00000004.00000001.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: msiexec.exe, 00000003.00000002.4894304362.0000000007870000.00000002.00000001.sdmp, msiexec.exe, 00000004.00000003.4623646960.0000000007506000.00000004.00000001.sdmpString found in binary or memory: http://www.flexerasoftware.com0
Source: WindowsAgentSetup.exe, WindowsAgentSetup.exe, 00000002.00000000.4450934517.00000000004B5000.00000002.00020000.sdmpString found in binary or memory: http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d
Source: WindowsAgentSetup.exe, 00000002.00000003.4472239451.0000000002D61000.00000004.00000001.sdmp, msiexec.exe, 00000003.00000003.4476065534.00000000035F9000.00000004.00000001.sdmp, msiexec.exe, 00000003.00000003.4474898232.00000000035ED000.00000004.00000001.sdmp, msiexec.exe, 00000004.00000003.4625691622.000000000741E000.00000004.00000001.sdmp, msiexec.exe, 00000004.00000003.4546642486.00000000073BA000.00000004.00000001.sdmp, msiexec.exe, 00000004.00000003.4562053182.00000000072DD000.00000004.00000001.sdmp, msiexec.exe, 00000004.00000003.4531702126.0000000007307000.00000004.00000001.sdmp, msiexec.exe, 00000004.00000003.4505815826.000000000752D000.00000004.00000001.sdmpString found in binary or memory: http://www.n-able.com
Source: msiexec.exe, 00000004.00000003.4563846463.00000000001EE000.00000004.00000001.sdmp, msiexec.exe, 00000004.00000003.4543195657.0000000000217000.00000004.00000001.sdmp, msiexec.exe, 00000004.00000003.4549080225.0000000007469000.00000004.00000001.sdmp, msiexec.exe, 00000004.00000003.4626180960.0000000007450000.00000004.00000001.sdmp, msiexec.exe, 00000004.00000003.4546642486.00000000073BA000.00000004.00000001.sdmp, msiexec.exe, 00000004.00000003.4587261166.0000000007403000.00000004.00000001.sdmp, msiexec.exe, 00000004.00000003.4562489788.0000000007399000.00000004.00000001.sdmpString found in binary or memory: http://www.n-able.com/support/
Source: msiexec.exe, 00000004.00000003.4562195086.0000000007BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.n-able.com/support/3
Source: msiexec.exe, 00000003.00000003.4475568788.00000000035DA000.00000004.00000001.sdmpString found in binary or memory: http://www.n-able.com/support/6
Source: msiexec.exe, 00000003.00000002.4893968724.00000000077A0000.00000002.00000001.sdmpString found in binary or memory: http://www.n-able.com/support/ARPCONTACT1-866-302-4689ARPHELPLINKhttp://www.n-able.comARPHELPTELEPHO
Source: msiexec.exe, 00000004.00000003.4523019143.0000000007457000.00000004.00000001.sdmpString found in binary or memory: http://www.n-able.com/support/M0
Source: msiexec.exe, 00000004.00000003.4523019143.0000000007457000.00000004.00000001.sdmpString found in binary or memory: http://www.n-able.com/support/Q
Source: msiexec.exe, 00000004.00000003.4506193387.00000000072E4000.00000004.00000001.sdmpString found in binary or memory: http://www.n-able.com/support/e
Source: msiexec.exe, 00000004.00000003.4506441989.0000000007583000.00000004.00000001.sdmpString found in binary or memory: http://www.n-able.com/support/m
Source: msiexec.exe, 00000004.00000003.4623878795.00000000073DA000.00000004.00000001.sdmp, msiexec.exe, 00000004.00000003.4625908646.00000000073E6000.00000004.00000001.sdmpString found in binary or memory: http://www.n-able.com/support/m.
Source: msiexec.exe, 00000004.00000003.4580676998.0000000007474000.00000004.00000001.sdmpString found in binary or memory: http://www.n-able.com/support/t
Source: msiexec.exe, 00000004.00000003.4506193387.00000000072E4000.00000004.00000001.sdmpString found in binary or memory: http://www.n-able.com/support/v
Source: msiexec.exe, 00000004.00000003.4603180993.00000000074A8000.00000004.00000001.sdmpString found in binary or memory: http://www.n-able.comCA
Source: msiexec.exe, 00000004.00000003.4528194209.000000000740C000.00000004.00000001.sdmpString found in binary or memory: http://www.n-able.comedred
Source: msiexec.exe, 00000004.00000003.4523019143.0000000007457000.00000004.00000001.sdmpString found in binary or memory: http://www.n-able.comod
Source: msiexec.exe, 00000003.00000002.4894304362.0000000007870000.00000002.00000001.sdmp, msiexec.exe, 00000004.00000003.4623646960.0000000007506000.00000004.00000001.sdmpString found in binary or memory: http://www.symauth.com/cps0(
Source: msiexec.exe, 00000003.00000002.4894304362.0000000007870000.00000002.00000001.sdmp, msiexec.exe, 00000004.00000003.4623646960.0000000007506000.00000004.00000001.sdmpString found in binary or memory: http://www.symauth.com/rpa00
Source: msiexec.exe, 00000003.00000002.4894304362.0000000007870000.00000002.00000001.sdmp, msiexec.exe, 00000004.00000003.4623646960.0000000007506000.00000004.00000001.sdmpString found in binary or memory: https://d.symcb.com/cps0%
Source: msiexec.exe, 00000003.00000002.4894304362.0000000007870000.00000002.00000001.sdmp, msiexec.exe, 00000004.00000003.4623646960.0000000007506000.00000004.00000001.sdmpString found in binary or memory: https://d.symcb.com/rpa0
Source: msiexec.exe, 00000003.00000002.4894304362.0000000007870000.00000002.00000001.sdmpString found in binary or memory: https://secure.n-able.com/onlinehelp/showhelp.aspx?authenticationKey=&productType=IntelEMEA&productV
Source: msiexec.exe, 00000003.00000002.4894304362.0000000007870000.00000002.00000001.sdmpString found in binary or memory: https://secure.n-able.com/onlinehelp/showhelp.aspx?authenticationKey=&productType=N-central&productV
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to register a low level keyboard hookShow sources
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeCode function: 0_2_00408DA3 SetWindowsHookExW 00000002,Function_00008D75,00000000,000000000_2_00408DA3
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: 103WindowsAgentSetup.exe, 00000000.00000002.4865079679.0000000000700000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_004953BA CryptImportKey,2_2_004953BA
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_00495444 __EH_prolog3_GS,CreateFileW,ReadFile,CryptCreateHash,ReadFile,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,ReadFile,CryptImportKey,GetLastError,GetLastError,2_2_00495444

DDoS:

barindex
Too many similar processes foundShow sources
Source: ISBEW64.exeProcess created: 79

System Summary:

barindex
PE file has a writeable .text sectionShow sources
Source: MSI6E6B.tmp.3.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_00488AC7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,2_2_00488AC7
Creates files inside the system directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeFile created: C:\Windows\Downloaded InstallationsJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1616:120:WilError_01
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeCode function: 0_2_00405C180_2_00405C18
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeCode function: 0_2_0040B0D00_2_0040B0D0
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeCode function: 0_2_0040B0D40_2_0040B0D4
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeCode function: 0_2_0040A8F00_2_0040A8F0
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeCode function: 0_2_004199430_2_00419943
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeCode function: 0_2_0040A2600_2_0040A260
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeCode function: 0_2_0040D4700_2_0040D470
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeCode function: 0_2_0040AC100_2_0040AC10
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeCode function: 0_2_00409C100_2_00409C10
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeCode function: 0_2_0040ED000_2_0040ED00
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeCode function: 0_2_00409DC00_2_00409DC0
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeCode function: 0_2_004195D10_2_004195D1
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeCode function: 0_2_004196AB0_2_004196AB
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeCode function: 0_2_00418F100_2_00418F10
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_004582D82_2_004582D8
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_004644C02_2_004644C0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_00408D602_2_00408D60
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_0042EFE52_2_0042EFE5
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_004334232_2_00433423
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_004781442_2_00478144
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_004681BE2_2_004681BE
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_004787F32_2_004787F3
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_0040C9802_2_0040C980
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_0040CDD02_2_0040CDD0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_0040D0902_2_0040D090
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_0040D3F02_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_0040D4762_2_0040D476
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_0049D4202_2_0049D420
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_0040D4382_2_0040D438
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_004094822_2_00409482
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_0040D4B62_2_0040D4B6
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_0040D6002_2_0040D600
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_0046D71B2_2_0046D71B
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_004699892_2_00469989
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_00479C872_2_00479C87
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_004620502_2_00462050
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_0047227D2_2_0047227D
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_0047A4032_2_0047A403
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_0046240F2_2_0046240F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_004727712_2_00472771
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_0046E8A22_2_0046E8A2
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_00472B892_2_00472B89
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_00472FBE2_2_00472FBE
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_004630652_2_00463065
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_0045F1A42_2_0045F1A4
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_004733F32_2_004733F3
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_0047766B2_2_0047766B
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_00477BD42_2_00477BD4
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_00497DB62_2_00497DB6
Source: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exeCode function: 5_2_00007FF732C0CC645_2_00007FF732C0CC64
Source: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exeCode function: 5_2_00007FF732C01AD05_2_00007FF732C01AD0
Source: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exeCode function: 5_2_00007FF732C0FCE45_2_00007FF732C0FCE4
Source: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exeCode function: 5_2_00007FF732C04E105_2_00007FF732C04E10
Source: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exeCode function: 5_2_00007FF732C0F11C5_2_00007FF732C0F11C
Source: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exeCode function: 5_2_00007FF732C0D3085_2_00007FF732C0D308
Source: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exeCode function: 5_2_00007FF732C142FC5_2_00007FF732C142FC
Source: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exeCode function: 5_2_00007FF732C042305_2_00007FF732C04230
Enables security privilegesShow sources
Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: SecurityJump to behavior
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: String function: 004578E0 appears 55 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: String function: 00419DCE appears 32 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: String function: 00402CA0 appears 214 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: String function: 00453BE8 appears 108 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: String function: 00453B7F appears 537 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: String function: 0046733E appears 35 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: String function: 0041D041 appears 41 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: String function: 00452425 appears 79 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: String function: 00452453 appears 55 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: String function: 004115E5 appears 128 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: String function: 00452B1A appears 143 times
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: String function: 00453BB2 appears 379 times
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeCode function: String function: 004029DB appears 44 times
PE file contains executable resources (Code or Archives)Show sources
Source: MSI6C76.tmp.3.drStatic PE information: Resource name: None type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: MSI6C76.tmp.3.drStatic PE information: Resource name: None type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
PE file contains strange resourcesShow sources
Source: 103WindowsAgentSetup.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WindowsAgentSetup.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MSI6E6B.tmp.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: 103WindowsAgentSetup.exe, 00000000.00000002.4864711735.0000000000466000.00000002.00020000.sdmpBinary or memory string: OriginalFilename7ZSfxMod_x86.exeD vs 103WindowsAgentSetup.exe
Source: 103WindowsAgentSetup.exe, 00000000.00000002.4867745592.0000000002D90000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 103WindowsAgentSetup.exe
Source: 103WindowsAgentSetup.exe, 00000000.00000002.4867745592.0000000002D90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 103WindowsAgentSetup.exe
Source: 103WindowsAgentSetup.exe, 00000000.00000002.4867364439.0000000002C90000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 103WindowsAgentSetup.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeFile read: C:\Users\user\Desktop\103WindowsAgentSetup.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
PE file has a writable .reloc sectionShow sources
Source: MSI6E6B.tmp.3.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
Classification labelShow sources
Source: classification engineClassification label: mal44.spyw.evad.winEXE@121/44@4/1
Contains functionality for error loggingShow sources
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeCode function: 0_2_004095EE wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,0_2_004095EE
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_00488AC7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,2_2_00488AC7
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeCode function: 0_2_0040122A GetDiskFreeSpaceExW,SendMessageW,0_2_0040122A
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_00486E7D __EH_prolog3_GS,CreateToolhelp32Snapshot,GetLastError,Process32FirstW,Process32NextW,OpenProcess,2_2_00486E7D
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeCode function: 0_2_004092A9 GetDlgItem,GetDlgItem,SendMessageW,GetDlgItem,GetWindowLongW,GetDlgItem,SetWindowLongW,GetSystemMenu,EnableMenuItem,GetDlgItem,SetFocus,SetTimer,CoCreateInstance,GetDlgItem,IsWindow,GetDlgItem,EnableWindow,GetDlgItem,ShowWindow,0_2_004092A9
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeCode function: 0_2_004020D2 GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,0_2_004020D2
Creates files inside the program directoryShow sources
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Program Files (x86)\N-able TechnologiesJump to behavior
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeFile created: C:\Users\user~1\AppData\Local\Temp\7ZipSfx.000Jump to behavior
Might use command line argumentsShow sources
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCommand line argument: debuglog2_2_0044A48F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCommand line argument: Setup.cpp2_2_0044A48F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCommand line argument: runfromtemp2_2_0044A48F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCommand line argument: reboot2_2_0044A48F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCommand line argument: Setup.cpp2_2_0044A48F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCommand line argument: Setup.cpp2_2_0044A48F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCommand line argument: %s%s2_2_0044A48F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCommand line argument: tempdisk1folder2_2_0044A48F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCommand line argument: ISSetup.dll2_2_0044A48F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCommand line argument: ISSetup.dll2_2_0044A48F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCommand line argument: Skin2_2_0044A48F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCommand line argument: Startup2_2_0044A48F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCommand line argument: setup.isn2_2_0044A48F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCommand line argument: count2_2_0044A48F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCommand line argument: Languages2_2_0044A48F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCommand line argument: key%d2_2_0044A48F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCommand line argument: Languages2_2_0044A48F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCommand line argument: %s\0x%04x.ini2_2_0044A48F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCommand line argument: %s\0x%04x.ini2_2_0044A48F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCommand line argument: %s\%04x.mst2_2_0044A48F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCommand line argument: %s\%04x.mst2_2_0044A48F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCommand line argument: Setup.cpp2_2_0044A48F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCommand line argument: Setup.cpp2_2_0044A48F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCommand line argument: ~cF2_2_004662D0
PE file has an executable .text section and no other executable sectionShow sources
Source: 103WindowsAgentSetup.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Windows\SysWOW64\msiexec.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select DeviceID,Name,Description,ProcessorType,ProcessorId,MaxClockSpeed,Architecture,SocketDesignation from Win32_Processor
Reads ini filesShow sources
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample might require command line argumentsShow sources
Source: msiexec.exeString found in binary or memory: Ready to launch post-install embedded UI program block
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\103WindowsAgentSetup.exe 'C:\Users\user\Desktop\103WindowsAgentSetup.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exe 'C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exe' /v' CUSTOMERID=103 CUSTOMERNAME=c128f3201849b9a4d45dc695af9b4667b69cc09a269cc7f7ed5554dd9ddc0fe2 CUSTOMERSPECIFIC=1 SERVERPROTOCOL=https SERVERADDRESS='nable.acshosted.com' SERVERPORT=443 '
Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe 'C:\Windows\system32\MSIEXEC.EXE' /i 'C:\Windows\Downloaded Installations\{2B854D9C-2606-43E2-8838-24DEEF6DBDE8}\Windows Agent.msi' CUSTOMERID=103 CUSTOMERNAME=c128f3201849b9a4d45dc695af9b4667b69cc09a269cc7f7ed5554dd9ddc0fe2 CUSTOMERSPECIFIC=1 SERVERPROTOCOL=https SERVERADDRESS=nable.acshosted.com SERVERPORT=443 SETUPEXEDIR='C:\Users\user\AppData\Local\Temp\7ZipSfx.000' SETUPEXENAME='WindowsAgentSetup.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9519F2DB82250E3379475EE4CA96DCF9 C
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3FDA2A19-F6F9-449B-AE15-BCD674D509F4}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2B5CD0E6-A465-42C8-9F1F-D13AB3B2219C}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E05E6440-5510-4D5E-B36C-FB12D1A31170}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{21DA8FBD-D6FA-4F25-880A-E89C24F5703E}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FDDCCC51-A1CA-40EA-964E-26D6C6CC85CC}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CC66B28C-7344-4F90-A33A-AC25C615FE57}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E2F6AA75-1FA5-4E38-BB7C-82F42E140381}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6DC492D9-DA3E-432B-BB33-7FEA5E638F8E}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9C58F465-0261-4552-BFBD-68C16F27FF73}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AB0A0A94-0802-4C2D-B77C-BF2F3D0A4D9D}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BB3DF7B9-8EBF-4B17-A4B3-B8CAB43455E4}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BC2D9D07-2B55-4C88-B7E1-2D4EA8D10ECA}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{28ADDDB3-4456-4FFC-B22F-E41813657FA4}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A35470C9-13B3-46EA-ACF8-082E2587DC25}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2363C7B4-266C-4BBC-857A-4D37B175FDC2}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{443E3C5F-D047-400D-9DC5-FE295606E548}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B59F3CDF-BFFC-4D53-8CFA-7EA0B5300EF5}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CC009CCE-FD67-4398-BAEA-45412D36E90B}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{251ED35D-4C3F-4FEE-A211-6E843AC4FF4B}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{66328581-6694-4DA0-B2BC-AEB244790157}
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A4DC5774-FE0A-47B8-9B07-C1AACB49D3EE}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{12E444CD-AE7A-46C3-B2B7-D5AB958320C1}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6B5EC89A-F443-4610-869B-F3836BFD8B58}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3D8D12A0-5813-46BE-9B7A-3494C1C82CF9}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E37C8295-E550-4900-A0BB-3886467A1F70}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A4DBCCF1-99B7-48CE-B62A-E7CA2070D232}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B8801926-1611-4F49-9B7C-575003698024}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{ADA33F21-713F-48D0-BAD2-8A68864F12A2}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7590FD73-4FBB-4EDA-A67C-93833F1F9481}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AA6B58E8-AD21-4C49-B3CB-A9B40C7CE465}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1075BCC4-B9B4-4ECE-9AC5-2DD322AC19FD}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{997F5048-35E6-41D9-99D6-5608ECBBBE0B}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5669F30D-A00A-40AA-81A6-F41F5437ECAB}
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{850BD7F8-F2F0-4589-BF94-0AB88DE5FDC0}
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeProcess created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exe 'C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exe' /v' CUSTOMERID=103 CUSTOMERNAME=c128f3201849b9a4d45dc695af9b4667b69cc09a269cc7f7ed5554dd9ddc0fe2 CUSTOMERSPECIFIC=1 SERVERPROTOCOL=https SERVERADDRESS='nable.acshosted.com' SERVERPORT=443 'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeProcess created: C:\Windows\SysWOW64\msiexec.exe 'C:\Windows\system32\MSIEXEC.EXE' /i 'C:\Windows\Downloaded Installations\{2B854D9C-2606-43E2-8838-24DEEF6DBDE8}\Windows Agent.msi' CUSTOMERID=103 CUSTOMERNAME=c128f3201849b9a4d45dc695af9b4667b69cc09a269cc7f7ed5554dd9ddc0fe2 CUSTOMERSPECIFIC=1 SERVERPROTOCOL=https SERVERADDRESS=nable.acshosted.com SERVERPORT=443 SETUPEXEDIR='C:\Users\user\AppData\Local\Temp\7ZipSfx.000' SETUPEXENAME='WindowsAgentSetup.exe'Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3FDA2A19-F6F9-449B-AE15-BCD674D509F4}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2B5CD0E6-A465-42C8-9F1F-D13AB3B2219C}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E05E6440-5510-4D5E-B36C-FB12D1A31170}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{21DA8FBD-D6FA-4F25-880A-E89C24F5703E}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FDDCCC51-A1CA-40EA-964E-26D6C6CC85CC}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CC66B28C-7344-4F90-A33A-AC25C615FE57}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E2F6AA75-1FA5-4E38-BB7C-82F42E140381}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6DC492D9-DA3E-432B-BB33-7FEA5E638F8E}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9C58F465-0261-4552-BFBD-68C16F27FF73}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AB0A0A94-0802-4C2D-B77C-BF2F3D0A4D9D}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BB3DF7B9-8EBF-4B17-A4B3-B8CAB43455E4}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BC2D9D07-2B55-4C88-B7E1-2D4EA8D10ECA}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{28ADDDB3-4456-4FFC-B22F-E41813657FA4}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A35470C9-13B3-46EA-ACF8-082E2587DC25}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2363C7B4-266C-4BBC-857A-4D37B175FDC2}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{443E3C5F-D047-400D-9DC5-FE295606E548}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B59F3CDF-BFFC-4D53-8CFA-7EA0B5300EF5}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CC009CCE-FD67-4398-BAEA-45412D36E90B}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{251ED35D-4C3F-4FEE-A211-6E843AC4FF4B}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E05E6440-5510-4D5E-B36C-FB12D1A31170}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A4DC5774-FE0A-47B8-9B07-C1AACB49D3EE}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{12E444CD-AE7A-46C3-B2B7-D5AB958320C1}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6B5EC89A-F443-4610-869B-F3836BFD8B58}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3D8D12A0-5813-46BE-9B7A-3494C1C82CF9}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E37C8295-E550-4900-A0BB-3886467A1F70}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A4DBCCF1-99B7-48CE-B62A-E7CA2070D232}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B8801926-1611-4F49-9B7C-575003698024}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{ADA33F21-713F-48D0-BAD2-8A68864F12A2}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7590FD73-4FBB-4EDA-A67C-93833F1F9481}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{28ADDDB3-4456-4FFC-B22F-E41813657FA4}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1075BCC4-B9B4-4ECE-9AC5-2DD322AC19FD}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{997F5048-35E6-41D9-99D6-5608ECBBBE0B}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5669F30D-A00A-40AA-81A6-F41F5437ECAB}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{850BD7F8-F2F0-4589-BF94-0AB88DE5FDC0}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E37C8295-E550-4900-A0BB-3886467A1F70}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7590FD73-4FBB-4EDA-A67C-93833F1F9481}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{28ADDDB3-4456-4FFC-B22F-E41813657FA4}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A4DBCCF1-99B7-48CE-B62A-E7CA2070D232}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9C58F465-0261-4552-BFBD-68C16F27FF73}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AB0A0A94-0802-4C2D-B77C-BF2F3D0A4D9D}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E05E6440-5510-4D5E-B36C-FB12D1A31170}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E2F6AA75-1FA5-4E38-BB7C-82F42E140381}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CC009CCE-FD67-4398-BAEA-45412D36E90B}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{251ED35D-4C3F-4FEE-A211-6E843AC4FF4B}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe C:\Users\user~1\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{850BD7F8-F2F0-4589-BF94-0AB88DE5FDC0}Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknownJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\SysWOW64\msiexec.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeFile written: C:\Users\user\AppData\Local\Temp\{6866DAD7-05BD-4B52-B55C-B0C98357F2E9}\Setup.INIJump to behavior
Found GUI installer (many successful clicks)Show sources
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Install
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Install
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Install
Uses Rich Edit ControlsShow sources
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Windows\SysWOW64\RICHED32.DLLJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: 103WindowsAgentSetup.exeStatic file information: File size 17899847 > 1048576
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\setup.pdb source: WindowsAgentSetup.exe, 00000002.00000000.4450934517.00000000004B5000.00000002.00020000.sdmp
Source: Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: ISBEW64.exe, 00000005.00000000.4487090492.00007FF732C17000.00000002.00020000.sdmp, ISBEW64.exe, 00000006.00000002.4497060645.00007FF732C17000.00000002.00020000.sdmp, ISBEW64.exe, 00000007.00000000.4491004656.00007FF732C17000.00000002.00020000.sdmp, ISBEW64.exe, 00000008.00000000.4492789836.00007FF732C17000.00000002.00020000.sdmp, ISBEW64.exe, 00000009.00000002.4501167173.00007FF732C17000.00000002.00020000.sdmp, ISBEW64.exe, 0000000A.00000002.4504161318.00007FF732C17000.00000002.00020000.sdmp, ISBEW64.exe, 0000000B.00000000.4497979218.00007FF732C17000.00000002.00020000.sdmp, ISBEW64.exe, 0000000C.00000000.4498755714.00007FF732C17000.00000002.00020000.sdmp, ISBEW64.exe, 0000000D.00000000.4499512154.00007FF732C17000.00000002.00020000.sdmp, ISBEW64.exe, 0000000E.00000002.4504291285.00007FF732C17000.00000002.00020000.sdmp, ISBEW64.exe, 0000000F.00000000.4511126656.00007FF732C17000.00000002.00020000.sdmp, ISBEW64.exe, 00000010.00000
Source: Binary string: c:\rpmeNsa\BUILD\agent-winnt-12.1.1.191\Development\n-central\agent_win\Installer\SetupLibrary\obj\Release\SetupLibrary.pdb source: msiexec.exe, 00000003.00000002.4894304362.0000000007870000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeCode function: 0_2_00402678 LoadLibraryA,GetProcAddress,GetNativeSystemInfo,0_2_00402678
Entry point lies outside standard sectionsShow sources
Source: initial sampleStatic PE information: section where entry point is pointing to: .rsrc
PE file contains an invalid checksumShow sources
Source: MSI6C76.tmp.3.drStatic PE information: real checksum: 0x3f7d2 should be: 0xe9081
Source: WindowsAgentSetup.exe.0.drStatic PE information: real checksum: 0x1182473 should be:
Source: 103WindowsAgentSetup.exeStatic PE information: real checksum: 0x6b3b3 should be:
Source: MSI6E6B.tmp.3.drStatic PE information: real checksum: 0xc8520 should be: 0x1cfab8
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeCode function: 0_2_00419290 push eax; ret 0_2_004192BE
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_00457925 push ecx; ret 2_2_00457938
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_00453B4D push ecx; ret 2_2_00453B60

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI889B.tmpJump to dropped file
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeFile created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI6E6B.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeFile created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEWI64.exeJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEW64.exeJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSID856.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeFile created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\_isres_0x0409.dllJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI573.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI89C5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeFile created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISRT.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeFile created: C:\Users\user\AppData\Local\Temp\iss5C2C.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIEC6C.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIDD29.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI3262.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIA201.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI6C76.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI6A91.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeFile created: C:\Users\user\AppData\Local\Temp\{15EF1E20-8B96-48C2-9B86-6F9C160F8657}\ISBEWX64.exeJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI309C.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIB8A7.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI862.tmpJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeCode function: 2_2_004582D8 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_004582D8
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\103WindowsAgentSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\WindowsAgentSetup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows<