Windows Analysis Report
2UoXCbfNSl.msi

Overview

General Information

Sample Name: 2UoXCbfNSl.msi
Original Sample Name: cd8393350f7cfc0762e09ee3b0a98002a1b9abf362caf5f210e717e1d4ebe53a.msi
Analysis ID: 876164
MD5: 82ff84cb9924f0855a894e75b5d3edb2
SHA1: df89381239f8a8ececeb697a6a35a573203bac09
SHA256: cd8393350f7cfc0762e09ee3b0a98002a1b9abf362caf5f210e717e1d4ebe53a
Tags: gozimsi
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic
Drops executables to the windows directory (C:\Windows) and starts them
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain checking for process token information
Contains functionality to launch a program with higher privileges
Queries the current domain controller via net
Launches processes in debugging mode, may be used to hinder debugging
Checks for available system drives (often done to infect USB drives)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbC source: MSI2A38.tmp, 00000003.00000002.383017362.000000000136D000.00000002.00000001.01000000.00000003.sdmp, MSI2A38.tmp, 00000003.00000000.382068467.000000000136D000.00000002.00000001.01000000.00000003.sdmp, MSI2E51.tmp, 00000005.00000000.384252501.00000000011CD000.00000002.00000001.01000000.00000005.sdmp, 2UoXCbfNSl.msi, 51235f.msi.1.dr, MSI2A38.tmp.1.dr, 51235e.rbs.1.dr, 51235c.msi.1.dr, MSI29DA.tmp.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: 2UoXCbfNSl.msi, MSI26B8.tmp.1.dr, 51235f.msi.1.dr, 51235c.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: MSI2A38.tmp, 00000003.00000002.383017362.000000000136D000.00000002.00000001.01000000.00000003.sdmp, MSI2A38.tmp, 00000003.00000000.382068467.000000000136D000.00000002.00000001.01000000.00000003.sdmp, MSI2E51.tmp, 00000005.00000000.384252501.00000000011CD000.00000002.00000001.01000000.00000005.sdmp, 2UoXCbfNSl.msi, 51235f.msi.1.dr, MSI2A38.tmp.1.dr, 51235e.rbs.1.dr, 51235c.msi.1.dr, MSI29DA.tmp.1.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_013605E9 FindFirstFileExW, 3_2_013605E9

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:65323 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:63446 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:60975 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:56682 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:58581 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:56687 -> 8.8.8.8:53
Source: Traffic Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:61344 -> 8.8.8.8:53
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: sumarno.top replaycode: Server failure (2)
Source: 51235e.rbs.1.dr, MSI29DA.tmp.1.dr String found in binary or memory: https://sectigo.com
Source: 2UoXCbfNSl.msi, 51235f.msi.1.dr, 51235c.msi.1.dr String found in binary or memory: https://sectigo.comButtonText_Yes&YesARPCOMMENTSThis
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI26B8.tmp Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\51235c.msi Jump to behavior
Detected potential crypto function
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_01356078 3_2_01356078
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_0132D060 3_2_0132D060
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_0135B336 3_2_0135B336
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_01349730 3_2_01349730
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_0134F700 3_2_0134F700
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_01364609 3_2_01364609
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_0135E919 3_2_0135E919
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_013538A0 3_2_013538A0
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_013518EF 3_2_013518EF
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_0135DB30 3_2_0135DB30
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_0134FA8E 3_2_0134FA8E
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_0134ADD9 3_2_0134ADD9
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_01330E90 3_2_01330E90
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_01362EC5 3_2_01362EC5
Found potential string decryption / allocating functions
Source: C:\Windows\Installer\MSI2A38.tmp Code function: String function: 013485D0 appears 39 times
Source: C:\Windows\Installer\MSI2A38.tmp Code function: String function: 01348246 appears 69 times
Source: C:\Windows\Installer\MSI2A38.tmp Code function: String function: 01348213 appears 97 times
Sample file is different than original file name gathered from version info
Source: 2UoXCbfNSl.msi Binary or memory string: OriginalFilenameviewer.exeF vs 2UoXCbfNSl.msi
Source: 2UoXCbfNSl.msi Binary or memory string: OriginalFilenameAICustAct.dllF vs 2UoXCbfNSl.msi
Tries to load missing DLLs
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Installer\MSI2A38.tmp Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\2UoXCbfNSl.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EA13B634406DD4E4E1EC4CF54DDC47D4
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\Installer\MSI2A38.tmp "C:\Windows\Installer\MSI2A38.tmp" /DontWait C:\Windows\System32\rundll32.exe C:\Users\user\AppData\Roaming\MSTX340\ini.dll,vips
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\Installer\MSI2E51.tmp "C:\Windows\Installer\MSI2E51.tmp" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" file://C:\Users\user\AppData\Roaming\MSTX340/Information_psw.pdf
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c "net group "domain computers" /domain" >> C:\Users\user\AppData\Local\Temp\4505.tmp
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net group "domain computers" /domain
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "domain computers" /domain
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c "nltest /dclist:" >> C:\Users\user\AppData\Local\Temp\158A.tmp
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /dclist:
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EA13B634406DD4E4E1EC4CF54DDC47D4 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\Installer\MSI2A38.tmp "C:\Windows\Installer\MSI2A38.tmp" /DontWait C:\Windows\System32\rundll32.exe C:\Users\user\AppData\Roaming\MSTX340\ini.dll,vips Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\Installer\MSI2E51.tmp "C:\Windows\Installer\MSI2E51.tmp" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" file://C:\Users\user\AppData\Roaming\MSTX340/Information_psw.pdf Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net group "domain computers" /domain Jump to behavior
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "domain computers" /domain Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /dclist: Jump to behavior
Source: C:\Windows\Installer\MSI2A38.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\MultiPlast Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\TEMP\~DF96E1B63E07A25412.TMP Jump to behavior
Source: classification engine Classification label: mal52.evad.winMSI@18/31@0/0
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_01326EE0 CoInitialize,CoCreateInstance,VariantInit,VariantClear,IUnknown_QueryService,IUnknown_QueryInterface_Proxy,IUnknown_QueryInterface_Proxy,CoAllowSetForegroundWindow,SysAllocString,SysAllocString,SysAllocString,SysAllocString,VariantInit,LocalFree,OpenProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_com_issue_error, 3_2_01326EE0
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_013261D0 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle, 3_2_013261D0
Source: 2UoXCbfNSl.msi Static file information: TRID: Microsoft Windows Installer (77509/1) 52.18%
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7020:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2820:120:WilError_01
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_01321D70 LoadResource,LockResource,SizeofResource, 3_2_01321D70
Source: 2UoXCbfNSl.msi Static file information: File size 6096508 > 1048576
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbC source: MSI2A38.tmp, 00000003.00000002.383017362.000000000136D000.00000002.00000001.01000000.00000003.sdmp, MSI2A38.tmp, 00000003.00000000.382068467.000000000136D000.00000002.00000001.01000000.00000003.sdmp, MSI2E51.tmp, 00000005.00000000.384252501.00000000011CD000.00000002.00000001.01000000.00000005.sdmp, 2UoXCbfNSl.msi, 51235f.msi.1.dr, MSI2A38.tmp.1.dr, 51235e.rbs.1.dr, 51235c.msi.1.dr, MSI29DA.tmp.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: 2UoXCbfNSl.msi, MSI26B8.tmp.1.dr, 51235f.msi.1.dr, 51235c.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: MSI2A38.tmp, 00000003.00000002.383017362.000000000136D000.00000002.00000001.01000000.00000003.sdmp, MSI2A38.tmp, 00000003.00000000.382068467.000000000136D000.00000002.00000001.01000000.00000003.sdmp, MSI2E51.tmp, 00000005.00000000.384252501.00000000011CD000.00000002.00000001.01000000.00000005.sdmp, 2UoXCbfNSl.msi, 51235f.msi.1.dr, MSI2A38.tmp.1.dr, 51235e.rbs.1.dr, 51235c.msi.1.dr, MSI29DA.tmp.1.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_013481F0 push ecx; ret 3_2_01348203

Persistence and Installation Behavior
barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\System32\msiexec.exe Executable created and started: C:\Windows\Installer\MSI2E51.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe Executable created and started: C:\Windows\Installer\MSI2A38.tmp Jump to behavior
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI28B0.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\MSTX340\ini.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2841.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI26B8.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI27A3.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2A38.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2E51.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI27E3.tmp Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI28B0.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2841.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI26B8.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI27A3.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2A38.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2E51.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI27E3.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI28B0.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\MSTX340\ini.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI2841.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI27A3.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI27E3.tmp Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Windows\Installer\MSI2A38.tmp Check user administrative privileges: GetTokenInformation,DecisionNodes
Queries the current domain controller via net
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net group "domain computers" /domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net group "domain computers" /domain Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\Installer\MSI2A38.tmp API coverage: 5.4 %
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_013605E9 FindFirstFileExW, 3_2_013605E9
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_0134C3B6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0134C3B6
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_01361533 GetProcessHeap, 3_2_01361533
Contains functionality to read the PEB
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_013603E8 mov eax, dword ptr fs:[00000030h] 3_2_013603E8
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_0135843F mov ecx, dword ptr fs:[00000030h] 3_2_0135843F
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\Installer\MSI2A38.tmp "C:\Windows\Installer\MSI2A38.tmp" /DontWait C:\Windows\System32\rundll32.exe C:\Users\user\AppData\Roaming\MSTX340\ini.dll,vips Jump to behavior
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_01348553 SetUnhandledExceptionFilter, 3_2_01348553
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_0134C3B6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0134C3B6
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_013483BD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_013483BD
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_01347B9C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_01347B9C
Contains functionality to launch a program with higher privileges
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_01327660 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,Sleep,EnumWindows,BringWindowToTop,WaitForSingleObject,GetExitCodeProcess,GetWindowThreadProcessId,GetWindowLongW, 3_2_01327660
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net group "domain computers" /domain Jump to behavior
Source: C:\Windows\System32\net.exe Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "domain computers" /domain Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /dclist: Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Installer\MSI2A38.tmp Code function: GetLocaleInfoEx,FormatMessageA, 3_2_01332161
Source: C:\Windows\Installer\MSI2A38.tmp Code function: GetLocaleInfoEx, 3_2_013471C1
Source: C:\Windows\Installer\MSI2A38.tmp Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 3_2_01363414
Source: C:\Windows\Installer\MSI2A38.tmp Code function: EnumSystemLocalesW, 3_2_01363701
Source: C:\Windows\Installer\MSI2A38.tmp Code function: EnumSystemLocalesW, 3_2_0135C7A2
Source: C:\Windows\Installer\MSI2A38.tmp Code function: EnumSystemLocalesW, 3_2_0136379C
Source: C:\Windows\Installer\MSI2A38.tmp Code function: EnumSystemLocalesW, 3_2_013636B6
Source: C:\Windows\Installer\MSI2A38.tmp Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 3_2_01363827
Source: C:\Windows\Installer\MSI2A38.tmp Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_01363BA3
Source: C:\Windows\Installer\MSI2A38.tmp Code function: GetLocaleInfoW, 3_2_01363A7A
Source: C:\Windows\Installer\MSI2A38.tmp Code function: GetLocaleInfoW, 3_2_0135CD1F
Source: C:\Windows\Installer\MSI2A38.tmp Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_01363D78
Source: C:\Windows\Installer\MSI2A38.tmp Code function: GetLocaleInfoW, 3_2_01363CA9
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_0134801C cpuid 3_2_0134801C
Source: C:\Windows\System32\nltest.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_01348615 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 3_2_01348615
Source: C:\Windows\Installer\MSI2A38.tmp Code function: 3_2_0135D192 GetTimeZoneInformation, 3_2_0135D192