IOC Report
2UoXCbfNSl.msi

loading gif

Files

File Path
Type
Category
Malicious
2UoXCbfNSl.msi
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {B4B73A8E-7CF9-43FC-9AD7-95DE9F858356}, Number of Words: 10, Subject: WinStore, Author: MultiPlast, Name of Creating Application: WinStore, Template: ;1033, Comments: This installer database contains the logic and data required to install WinStore., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Tue Apr 25 16:36:21 2023, Number of Pages: 200
initial sample
malicious
C:\Windows\Installer\MSI2A38.tmp
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Windows\Installer\MSI2E51.tmp
PE32 executable (GUI) Intel 80386, for MS Windows
modified
malicious
C:\Config.Msi\51235e.rbs
data
dropped
C:\Users\user\AppData\Local\Temp\158A.tmp
ASCII text, with CRLF line terminators
modified
C:\Users\user\AppData\Local\Temp\4505.tmp
ASCII text, with CRLF line terminators
modified
C:\Users\user\AppData\Roaming\MSTX340\Information_psw.pdf
PDF document, version 1.5 (zip deflate encoded)
dropped
C:\Users\user\AppData\Roaming\MSTX340\ini.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
dropped
C:\Windows\Installer\51235c.msi
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {B4B73A8E-7CF9-43FC-9AD7-95DE9F858356}, Number of Words: 10, Subject: WinStore, Author: MultiPlast, Name of Creating Application: WinStore, Template: ;1033, Comments: This installer database contains the logic and data required to install WinStore., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Tue Apr 25 16:36:21 2023, Number of Pages: 200
dropped
C:\Windows\Installer\51235f.msi
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {B4B73A8E-7CF9-43FC-9AD7-95DE9F858356}, Number of Words: 10, Subject: WinStore, Author: MultiPlast, Name of Creating Application: WinStore, Template: ;1033, Comments: This installer database contains the logic and data required to install WinStore., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Tue Apr 25 16:36:21 2023, Number of Pages: 200
dropped
C:\Windows\Installer\MSI26B8.tmp
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Windows\Installer\MSI27A3.tmp
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Windows\Installer\MSI27E3.tmp
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Windows\Installer\MSI2841.tmp
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Windows\Installer\MSI28B0.tmp
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Windows\Installer\MSI29DA.tmp
data
dropped
C:\Windows\Installer\SourceHash{61FBEA40-2644-43BA-811E-2B6E5B7CAA2A}
Composite Document File V2 Document, Cannot read section info
dropped
C:\Windows\Installer\inprogressinstallinfo.ipi
Composite Document File V2 Document, Cannot read section info
dropped
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
dropped
C:\Windows\Temp\~DF10D2DAB67DA41C8A.TMP
Composite Document File V2 Document, Cannot read section info
dropped
C:\Windows\Temp\~DF1227C6BDFAEB717C.TMP
Composite Document File V2 Document, Cannot read section info
dropped
C:\Windows\Temp\~DF68D74EC899244EDA.TMP
data
dropped
C:\Windows\Temp\~DF7FE13E1A7726FEE7.TMP
Composite Document File V2 Document, Cannot read section info
dropped
C:\Windows\Temp\~DF8512FFC219F00200.TMP
data
dropped
C:\Windows\Temp\~DF95C513D54DE54DBD.TMP
data
dropped
C:\Windows\Temp\~DF96E1B63E07A25412.TMP
data
dropped
C:\Windows\Temp\~DFB2AA96E7FD83FBD9.TMP
Composite Document File V2 Document, Cannot read section info
dropped
C:\Windows\Temp\~DFB34D19DFF552AF61.TMP
data
dropped
C:\Windows\Temp\~DFBED5ECD771A438C3.TMP
data
dropped
C:\Windows\Temp\~DFDDFB5948BDA3D3DB.TMP
data
dropped
C:\Windows\Temp\~DFE5C2C184C7DA67D2.TMP
Composite Document File V2 Document, Cannot read section info
dropped
\Device\ConDrv
ASCII text, with CRLF line terminators
dropped
There are 22 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\2UoXCbfNSl.msi"
malicious
C:\Windows\System32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
malicious
C:\Windows\Installer\MSI2A38.tmp
"C:\Windows\Installer\MSI2A38.tmp" /DontWait C:\Windows\System32\rundll32.exe C:\Users\user\AppData\Roaming\MSTX340\ini.dll,vips
malicious
C:\Windows\Installer\MSI2E51.tmp
"C:\Windows\Installer\MSI2E51.tmp" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" file://C:\Users\user\AppData\Roaming\MSTX340/Information_psw.pdf
malicious
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding EA13B634406DD4E4E1EC4CF54DDC47D4
C:\Windows\System32\cmd.exe
cmd /c "net group "domain computers" /domain" >> C:\Users\user\AppData\Local\Temp\4505.tmp
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\net.exe
net group "domain computers" /domain
C:\Windows\System32\net1.exe
C:\Windows\system32\net1 group "domain computers" /domain
C:\Windows\System32\cmd.exe
cmd /c "nltest /dclist:" >> C:\Users\user\AppData\Local\Temp\158A.tmp
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\nltest.exe
nltest /dclist:
There are 2 hidden processes, click here to show them.

URLs

Name
IP
Malicious
https://sectigo.com
unknown
https://sectigo.comButtonText_Yes&YesARPCOMMENTSThis
unknown

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Owner
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
SessionHash
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Sequence
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Config.Msi\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
C:\Config.Msi\51235e.rbs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
C:\Config.Msi\51235e.rbsLow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-3853321935-2125563209-4053062332-1002\Components\D1C45A00CA167434484F0477B34C634D
04AEBF164462AB3418E1B2E6B5C7AAA2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-3853321935-2125563209-4053062332-1002\Components\9EB22A341D04FC24BA14210C4CE2C461
04AEBF164462AB3418E1B2E6B5C7AAA2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-3853321935-2125563209-4053062332-1002\Components\9B2606BA92B964646B6ED73E215EDA19
04AEBF164462AB3418E1B2E6B5C7AAA2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-3853321935-2125563209-4053062332-1002\Components\E8D709299ABD2A843ABC9F9FE10E4EEC
04AEBF164462AB3418E1B2E6B5C7AAA2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Users\user\AppData\Roaming\MultiPlast\WinStore\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Users\user\AppData\Roaming\MultiPlast\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Users\user\AppData\Roaming\MSTX340\
HKEY_CURRENT_USER\Software\MultiPlast\WinStore
Version
HKEY_CURRENT_USER\Software\MultiPlast\WinStore
Path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-3853321935-2125563209-4053062332-1002\Products\04AEBF164462AB3418E1B2E6B5C7AAA2\InstallProperties
LocalPackage
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-3853321935-2125563209-4053062332-1002\Products\04AEBF164462AB3418E1B2E6B5C7AAA2\InstallProperties
AuthorizedCDFPrefix
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-3853321935-2125563209-4053062332-1002\Products\04AEBF164462AB3418E1B2E6B5C7AAA2\InstallProperties
Comments
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-3853321935-2125563209-4053062332-1002\Products\04AEBF164462AB3418E1B2E6B5C7AAA2\InstallProperties
Contact
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-3853321935-2125563209-4053062332-1002\Products\04AEBF164462AB3418E1B2E6B5C7AAA2\InstallProperties
DisplayVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-3853321935-2125563209-4053062332-1002\Products\04AEBF164462AB3418E1B2E6B5C7AAA2\InstallProperties
HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-3853321935-2125563209-4053062332-1002\Products\04AEBF164462AB3418E1B2E6B5C7AAA2\InstallProperties
HelpTelephone
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-3853321935-2125563209-4053062332-1002\Products\04AEBF164462AB3418E1B2E6B5C7AAA2\InstallProperties
InstallDate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-3853321935-2125563209-4053062332-1002\Products\04AEBF164462AB3418E1B2E6B5C7AAA2\InstallProperties
InstallLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-3853321935-2125563209-4053062332-1002\Products\04AEBF164462AB3418E1B2E6B5C7AAA2\InstallProperties
InstallSource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-3853321935-2125563209-4053062332-1002\Products\04AEBF164462AB3418E1B2E6B5C7AAA2\InstallProperties
ModifyPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-3853321935-2125563209-4053062332-1002\Products\04AEBF164462AB3418E1B2E6B5C7AAA2\InstallProperties
NoModify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-3853321935-2125563209-4053062332-1002\Products\04AEBF164462AB3418E1B2E6B5C7AAA2\InstallProperties
Publisher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-3853321935-2125563209-4053062332-1002\Products\04AEBF164462AB3418E1B2E6B5C7AAA2\InstallProperties
Readme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-3853321935-2125563209-4053062332-1002\Products\04AEBF164462AB3418E1B2E6B5C7AAA2\InstallProperties
Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-3853321935-2125563209-4053062332-1002\Products\04AEBF164462AB3418E1B2E6B5C7AAA2\InstallProperties
EstimatedSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-3853321935-2125563209-4053062332-1002\Products\04AEBF164462AB3418E1B2E6B5C7AAA2\InstallProperties
UninstallString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-3853321935-2125563209-4053062332-1002\Products\04AEBF164462AB3418E1B2E6B5C7AAA2\InstallProperties
URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-3853321935-2125563209-4053062332-1002\Products\04AEBF164462AB3418E1B2E6B5C7AAA2\InstallProperties
URLUpdateInfo