Analysis Report

Overview

General Information

Joe Sandbox Version:	23.0.0
Analysis ID:	622264
Start time:	13:20:19
Joe Sandbox Product:	Cloud
Start date:	30.07.2018
Overall analysis duration:	0h 23m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	pdfescape-desktop-asian-and-extended.msi
Cookbook file name:	defaultwindowsmsicookbook.jbs
Analysis system description:	Windows 7 x64 (Office 2003 SP3, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 41, Firefox 36)
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled HDC enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal44.rans.adwa.evad.mine.winMSI@503/506@3/5
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 66% (good quality ratio 56.1%) Quality average: 56.6% Quality standard deviation: 32.6%
HCA Information:	Successful, ratio: 99% Number of executed functions: 147 Number of non-executed functions: 241
Cookbook Comments:	Adjust boot time Correcting counters for adjusted boot time Found application associated with file extension: .msi
Warnings:	Show All Max analysis timeout: 600s exceeded, the analysis took too long Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe Report creation exceeded maximum time and may have missing behavior and disassembly information. Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtFsControlFile calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtQueryVolumeInformationFile calls found. Report size getting too big, too many NtReadFile calls found. Report size getting too big, too many NtSetInformationFile calls found. Report size getting too big, too many NtWriteFile calls found. Report size getting too big, too many NtWriteVirtualMemory calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: msiexec.exe, msiexec.exe, mscorsvw.exe, mscorsvw.exe Too many dropped files, some of them have not been restored

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	44	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus detection for dropped file

Show sources

Source: C:\Windows\System32\xbox-service.exe

Avira: Label: HEUR/AGEN.1013443

Multi AV Scanner detection for submitted file

Show sources

Source: pdfescape-desktop-asian-and-extended.msi

virustotal: Detection: 22%

Perma Link

Antivirus detection for unpacked file

Show sources

Source: 8.1.xbox-service.exe.13f1b0000.0.unpack	Avira: Label: HEUR/AGEN.1013443
Source: 8.2.xbox-service.exe.13f1b0000.0.unpack	Avira: Label: HEUR/AGEN.1013443
Source: 8.0.xbox-service.exe.13f1b0000.2.unpack	Avira: Label: HEUR/AGEN.1013443
Source: 9.1.xbox-service.exe.13fbc0000.0.unpack	Avira: Label: HEUR/AGEN.1013443
Source: 9.0.xbox-service.exe.13fbc0000.0.unpack	Avira: Label: HEUR/AGEN.1013443
Source: 8.0.xbox-service.exe.13f1b0000.0.unpack	Avira: Label: HEUR/AGEN.1013443
Source: 8.0.xbox-service.exe.13f1b0000.3.unpack	Avira: Label: HEUR/AGEN.1013443
Source: 8.0.xbox-service.exe.13f1b0000.1.unpack	Avira: Label: HEUR/AGEN.1013443

Cryptography:

Public key (encryption) found

Show sources

Source: tmp2C70.tmp.7.dr

Binary or memory string: -----BEGIN PUBLIC KEY-----

Bitcoin Miner:

Found strings related to Crypto-Mining

Show sources

Source: pagefile.sys.9.dr

String found in binary or memory: "cpu_threads_conf" : [ { "low_power_mode" : false, "no_prefetch" : true, "affine_to_cpu" : 0 }, ], "use_slow_memory" : "warn", "Nicehash_nonce" : false, "aes_override" : null, "use_tls" : false, "tls_secure_algo" : true, "tls_fingerprint" : "", "pool_address" : "monerohash.com:80", "wallet_address" :

Spreading:

Checks for available system drives (often done to infect USB drives)

Show sources

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: c:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: a:	Jump to behavior

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Windows\System32\msiexec.exe	Code function: 7_1_000007FEF3941F30 FindFirstFileExW,	7_1_000007FEF3941F30
Source: C:\Windows\System32\msiexec.exe	Code function: 7_1_000007FEF3959598 FindFirstFileExA,	7_1_000007FEF3959598
Source: C:\Windows\System32\xbox-service.exe	Code function: 8_2_000000013F1D33D4 FindFirstFileExA,	8_2_000000013F1D33D4
Source: C:\Windows\System32\xbox-service.exe	Code function: 9_1_000000013FBE33D4 FindFirstFileExA,	9_1_000000013FBE33D4
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800C9C70 FindFirstFileExA,	10_1_00000001800C9C70
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800C9C70 FindFirstFileExA,	12_1_00000001800C9C70

Networking:

Connects to IPs without corresponding DNS lookups

Show sources

Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250
Source: unknown	UDP traffic detected without corresponding DNS query: 239.255.255.250

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic	HTTP traffic detected: GET /module/glamour HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: download-desktop.pdfescape.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download/pdfescape/pdfescape1/glamour HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: cdn.lulusoft.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /pdfescape3/glamour/PDFescape_Desktop_Installer_3.0.25.584.exe HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: download-desktop-msi.pdfescape.comConnection: Keep-Alive

Contains functionality to download additional files from the internet

Show sources

Source: C:\Windows\System32\msiexec.exe

Code function: 7_1_000007FEF3942F30 DeleteUrlCacheEntry,URLDownloadToFileA,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

7_1_000007FEF3942F30

Downloads files

Show sources

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GOPT6FQ2

Jump to behavior

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /module/glamour HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: download-desktop.pdfescape.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download/pdfescape/pdfescape1/glamour HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: cdn.lulusoft.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /pdfescape3/glamour/PDFescape_Desktop_Installer_3.0.25.584.exe HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: download-desktop-msi.pdfescape.comConnection: Keep-Alive

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: download-desktop.pdfescape.com

Urls found in memory or binary data

Show sources

Source: tmp2C70.tmp.7.dr	String found in binary or memory: file://
Source: tmp2C70.tmp.7.dr	String found in binary or memory: file://%s
Source: tmp2C70.tmp.7.dr	String found in binary or memory: file://%sresource://blankEndHTMLStartHTMLEndFragmentStartFragmentVersion:1.0
Source: tmp2C70.tmp.7.dr	String found in binary or memory: file://hostname/
Source: tmp2C70.tmp.7.dr	String found in binary or memory: ftp://
Source: tmp2C70.tmp.7.dr	String found in binary or memory: ftp://%s:%s
Source: tmp2C70.tmp.7.dr	String found in binary or memory: ftp://;type=AcceptAccept:
Source: pagefile.sys.9.dr	String found in binary or memory: http://%s/h
Source: pagefile.sys.9.dr	String found in binary or memory: http://%s/hHostLocation
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://%s:%d
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://%s:%d5
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://bugreport.pdfescape.com/service.asmxW
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: pdfescape-desktop-asian-and-extended.msi	String found in binary or memory: http://data28.somee.com/data32.zip
Source: msiexec.exe, pdfescape-desktop-asian-and-extended.msi	String found in binary or memory: http://desktop.sodapdf.com/
Source: pdfescape-desktop-asian-and-extended.msi	String found in binary or memory: http://desktop.sodapdf.com/SOFTWARE
Source: msiexec.exe, pdfescape-desktop-asian-and-extended.msi	String found in binary or memory: http://desktop.sodapdf.com/module/glamour
Source: pdfescape-desktop-asian-and-extended.msi	String found in binary or memory: http://desktop.sodapdf.com/module/glamourhttp://download8.sodapdf.com/module/glamourhttp://download-
Source: msiexec.exe, pdfescape-desktop-asian-and-extended.msi	String found in binary or memory: http://download-desktop.pdfescape.com/
Source: pdfescape-desktop-asian-and-extended.msi	String found in binary or memory: http://download-desktop.pdfescape.com/SOFTWARE
Source: msiexec.exe, pdfescape-desktop-asian-and-extended.msi	String found in binary or memory: http://download-desktop.pdfescape.com/module/glamour
Source: msiexec.exe, pdfescape-desktop-asian-and-extended.msi	String found in binary or memory: http://download2018.pdf-suite.com/
Source: pdfescape-desktop-asian-and-extended.msi	String found in binary or memory: http://download2018.pdf-suite.com/SOFTWARE
Source: msiexec.exe, pdfescape-desktop-asian-and-extended.msi	String found in binary or memory: http://download2018.pdf-suite.com/module/glamour
Source: msiexec.exe, pdfescape-desktop-asian-and-extended.msi	String found in binary or memory: http://download8.sodapdf.com/
Source: pdfescape-desktop-asian-and-extended.msi	String found in binary or memory: http://download8.sodapdf.com/SOFTWARE
Source: msiexec.exe, pdfescape-desktop-asian-and-extended.msi	String found in binary or memory: http://download8.sodapdf.com/module/glamour
Source: msiexec.exe, pdfescape-desktop-asian-and-extended.msi	String found in binary or memory: http://downloads.docudesk.com/
Source: pdfescape-desktop-asian-and-extended.msi	String found in binary or memory: http://downloads.docudesk.com/SOFTWARE
Source: msiexec.exe, pdfescape-desktop-asian-and-extended.msi	String found in binary or memory: http://downloads.docudesk.com/module/glamour
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://ftp://
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://jtracking-gate.lulusoft.comIEH
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://paygw.pdfescape.com/redirect/http://download-desktop.pdfescape.com/pdfescape-desktop&&version
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://s.symcd.com06
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/arrayType
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/arrayType0
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://sodapdf.com/fr/confidentialite#privacy-dehttp://sodapdf.com/de/datenschutz#privacy-it#privacy
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://sodapdf.com/privacy/
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://stats.pdfescape.com/Tracking.asmx
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://tempuri.org/
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://tempuri.org/AddBug
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://tempuri.org/CompressSimpleTrackSetup
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://tempuri.org/GetVersionInfo
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://tempuri.org/http://tempuri.org/VersionVersionparamparamNameName
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://tempuri.org/http://tempuri.org/datadata
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://terrainformatica.com/forums/topic.php?id=1772
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://upclick.com/
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://upclick.com/GetLocationInfo
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://upclick.com/http://upclick.com/
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://update.pdfescape.com/Service.asmx
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://webcompanion.com/nano_download.php?partner=
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://webcompanion.com/nano_download.php?partner=&campaign=
Source: pdfescape-desktop-asian-and-extended.msi	String found in binary or memory: http://winservice32.website.tk/m.html
Source: pagefile.sys.9.dr	String found in binary or memory: http://winservice32.website.tk/m.htmldata
Source: tmp2C70.tmp.7.dr	String found in binary or memory: http://wsgeoip.pdfescape.com/ipservice.asmx
Source: Identity-UTF16-V.2.dr	String found in binary or memory: http://www.artifex.com/licensing/
Source: Identity-UTF16-V.2.dr	String found in binary or memory: http://www.ghostscript.com/licensing/.
Source: pagefile.sys.9.dr	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: pdfescape-desktop-asian-and-extended.msi	String found in binary or memory: http://www.pdfescape.com/privacy/
Source: msiexec.exe, 00000001.00000003.12378422218.000000000050A000.00000004.sdmp, pdfescape-desktop-asian-and-extended.msi	String found in binary or memory: http://www.redsoftware.com/
Source: msiexec.exe, 00000001.00000003.12667191155.0000000000586000.00000004.sdmp, msiexec.exe, 00000001.00000003.12378422218.000000000050A000.00000004.sdmp, pdfescape-desktop-asian-and-extended.msi	String found in binary or memory: http://www.redsoftware.com/contact/
Source: tmp2C70.tmp.7.dr	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: tmp2C70.tmp.7.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: tmp2C70.tmp.7.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: tmp2C70.tmp.7.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: tmp2C70.tmp.7.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: rundll32.exe, pagefile.sys.9.dr	String found in binary or memory: https://www.google-analytics.com/collect?v=1&tid=UA-108153473-1&cid=

Spam, unwanted Advertisements and Ransom Demands:

Modifies the hosts file

Show sources

Source: C:\Windows\System32\msiexec.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

DDoS:

Too many similar processes found

Show sources

Source: unknown

Process created: 391

Operating System Destruction:

Mass deletion, destroys many files

Show sources

Source: c:\windows\system32\xbox-service.exe

File deleted: Number of file deletion 463 exceeds threshold 400

System Summary:

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Show sources

Source: C:\Windows\SysWOW64\msiexec.exe	Memory allocated: 77080000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory allocated: 771A0000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	Memory allocated: 77080000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	Memory allocated: 771A0000 page execute and read and write	Jump to behavior

Contains functionality to delete services

Show sources

Source: C:\Windows\System32\xbox-service.exe

Code function: 8_2_000000013F1BB640 OpenSCManagerA,LoadStringA,MessageBoxA,OpenServiceA,CloseServiceHandle,LoadStringA,ControlService,GetLastError,MessageBoxA,DeleteService,CloseServiceHandle,CloseServiceHandle,MessageBoxA,RegDeleteValueA,RegCloseKey,RegCloseKey,

8_2_000000013F1BB640

Creates driver files

Show sources

Source: C:\Windows\System32\xbox-service.exe

File created: C:\Windows\pagefile.sys

Creates files inside the system directory

Show sources

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\51df1b.msi

Jump to behavior

Deletes files inside the Windows folder

Show sources

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\51df1c.ipi

Jump to behavior

Detected potential crypto function

Show sources

Source: C:\Windows\System32\msiexec.exe	Code function: 7_1_000007FEF394E7A8	7_1_000007FEF394E7A8
Source: C:\Windows\System32\msiexec.exe	Code function: 7_1_000007FEF3952BD0	7_1_000007FEF3952BD0
Source: C:\Windows\System32\msiexec.exe	Code function: 7_1_000007FEF395938C	7_1_000007FEF395938C
Source: C:\Windows\System32\msiexec.exe	Code function: 7_1_000007FEF395696C	7_1_000007FEF395696C
Source: C:\Windows\System32\msiexec.exe	Code function: 7_1_000007FEF3958924	7_1_000007FEF3958924
Source: C:\Windows\System32\msiexec.exe	Code function: 7_1_000007FEF395CF80	7_1_000007FEF395CF80
Source: C:\Windows\System32\msiexec.exe	Code function: 7_1_000007FEF395E6F4	7_1_000007FEF395E6F4
Source: C:\Windows\System32\msiexec.exe	Code function: 7_1_000007FEF39566F4	7_1_000007FEF39566F4
Source: C:\Windows\System32\msiexec.exe	Code function: 7_1_000007FEF3957DE8	7_1_000007FEF3957DE8
Source: C:\Windows\System32\msiexec.exe	Code function: 7_1_000007FEF3947D48	7_1_000007FEF3947D48
Source: C:\Windows\System32\msiexec.exe	Code function: 7_1_000007FEF395BDA0	7_1_000007FEF395BDA0
Source: C:\Windows\System32\msiexec.exe	Code function: 7_1_000007FEF394EDAC	7_1_000007FEF394EDAC
Source: C:\Windows\System32\msiexec.exe	Code function: 7_1_000007FEF394F50C	7_1_000007FEF394F50C
Source: C:\Windows\System32\xbox-service.exe	Code function: 8_2_000000013F1BB640	8_2_000000013F1BB640
Source: C:\Windows\System32\xbox-service.exe	Code function: 8_2_000000013F1C9754	8_2_000000013F1C9754
Source: C:\Windows\System32\xbox-service.exe	Code function: 8_2_000000013F1C1770	8_2_000000013F1C1770
Source: C:\Windows\System32\xbox-service.exe	Code function: 8_2_000000013F1BA5F0	8_2_000000013F1BA5F0
Source: C:\Windows\System32\xbox-service.exe	Code function: 8_2_000000013F1B7EA0	8_2_000000013F1B7EA0
Source: C:\Windows\System32\xbox-service.exe	Code function: 8_2_000000013F1D4ED4	8_2_000000013F1D4ED4
Source: C:\Windows\System32\xbox-service.exe	Code function: 8_2_000000013F1D6510	8_2_000000013F1D6510
Source: C:\Windows\System32\xbox-service.exe	Code function: 8_2_000000013F1CB5E0	8_2_000000013F1CB5E0
Source: C:\Windows\System32\xbox-service.exe	Code function: 8_2_000000013F1B1490	8_2_000000013F1B1490
Source: C:\Windows\System32\xbox-service.exe	Code function: 8_2_000000013F1C8CA8	8_2_000000013F1C8CA8
Source: C:\Windows\System32\xbox-service.exe	Code function: 8_2_000000013F1CAAE8	8_2_000000013F1CAAE8
Source: C:\Windows\System32\xbox-service.exe	Code function: 8_2_000000013F1D8B6C	8_2_000000013F1D8B6C
Source: C:\Windows\System32\xbox-service.exe	Code function: 8_2_000000013F1CBB89	8_2_000000013F1CBB89
Source: C:\Windows\System32\xbox-service.exe	Code function: 8_2_000000013F1DA388	8_2_000000013F1DA388
Source: C:\Windows\System32\xbox-service.exe	Code function: 8_2_000000013F1C9A38	8_2_000000013F1C9A38
Source: C:\Windows\System32\xbox-service.exe	Code function: 8_2_000000013F1DC274	8_2_000000013F1DC274
Source: C:\Windows\System32\xbox-service.exe	Code function: 8_2_000000013F1D7A94	8_2_000000013F1D7A94
Source: C:\Windows\System32\xbox-service.exe	Code function: 8_2_000000013F1B3284	8_2_000000013F1B3284
Source: C:\Windows\System32\xbox-service.exe	Code function: 8_2_000000013F1B4AE0	8_2_000000013F1B4AE0
Source: C:\Windows\System32\xbox-service.exe	Code function: 8_2_000000013F1B5920	8_2_000000013F1B5920
Source: C:\Windows\System32\xbox-service.exe	Code function: 8_2_000000013F1C715C	8_2_000000013F1C715C
Source: C:\Windows\System32\xbox-service.exe	Code function: 8_2_000000013F1D31C8	8_2_000000013F1D31C8
Source: C:\Windows\System32\xbox-service.exe	Code function: 8_2_000000013F1CB0BC	8_2_000000013F1CB0BC
Source: C:\Windows\System32\xbox-service.exe	Code function: 9_1_000000013FBD1770	9_1_000000013FBD1770
Source: C:\Windows\System32\xbox-service.exe	Code function: 9_1_000000013FBC1490	9_1_000000013FBC1490
Source: C:\Windows\System32\xbox-service.exe	Code function: 9_1_000000013FBC3284	9_1_000000013FBC3284
Source: C:\Windows\System32\xbox-service.exe	Code function: 9_1_000000013FBC5920	9_1_000000013FBC5920
Source: C:\Windows\System32\xbox-service.exe	Code function: 9_1_000000013FBDB0BC	9_1_000000013FBDB0BC
Source: C:\Windows\System32\xbox-service.exe	Code function: 9_1_000000013FBD9754	9_1_000000013FBD9754
Source: C:\Windows\System32\xbox-service.exe	Code function: 9_1_000000013FBC7EA0	9_1_000000013FBC7EA0
Source: C:\Windows\System32\xbox-service.exe	Code function: 9_1_000000013FBE4ED4	9_1_000000013FBE4ED4
Source: C:\Windows\System32\xbox-service.exe	Code function: 9_1_000000013FBCA5F0	9_1_000000013FBCA5F0
Source: C:\Windows\System32\xbox-service.exe	Code function: 9_1_000000013FBCB640	9_1_000000013FBCB640
Source: C:\Windows\System32\xbox-service.exe	Code function: 9_1_000000013FBDB5E0	9_1_000000013FBDB5E0
Source: C:\Windows\System32\xbox-service.exe	Code function: 9_1_000000013FBE6510	9_1_000000013FBE6510
Source: C:\Windows\System32\xbox-service.exe	Code function: 9_1_000000013FBD8CA8	9_1_000000013FBD8CA8
Source: C:\Windows\System32\xbox-service.exe	Code function: 9_1_000000013FBDBB89	9_1_000000013FBDBB89
Source: C:\Windows\System32\xbox-service.exe	Code function: 9_1_000000013FBEA388	9_1_000000013FBEA388
Source: C:\Windows\System32\xbox-service.exe	Code function: 9_1_000000013FBE8B6C	9_1_000000013FBE8B6C
Source: C:\Windows\System32\xbox-service.exe	Code function: 9_1_000000013FBDAAE8	9_1_000000013FBDAAE8
Source: C:\Windows\System32\xbox-service.exe	Code function: 9_1_000000013FBE7A94	9_1_000000013FBE7A94
Source: C:\Windows\System32\xbox-service.exe	Code function: 9_1_000000013FBEC274	9_1_000000013FBEC274
Source: C:\Windows\System32\xbox-service.exe	Code function: 9_1_000000013FBC4AE0	9_1_000000013FBC4AE0
Source: C:\Windows\System32\xbox-service.exe	Code function: 9_1_000000013FBD9A38	9_1_000000013FBD9A38
Source: C:\Windows\System32\xbox-service.exe	Code function: 9_1_000000013FBE31C8	9_1_000000013FBE31C8
Source: C:\Windows\System32\xbox-service.exe	Code function: 9_1_000000013FBD715C	9_1_000000013FBD715C
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180058004	10_1_0000000180058004
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800D404C	10_1_00000001800D404C
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_000000018001A050	10_1_000000018001A050
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800B4140	10_1_00000001800B4140
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800101C0	10_1_00000001800101C0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800D21EC	10_1_00000001800D21EC
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180054211	10_1_0000000180054211
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_000000018001E230	10_1_000000018001E230
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_000000018008A2A0	10_1_000000018008A2A0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800D02AC	10_1_00000001800D02AC
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800582DF	10_1_00000001800582DF
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180052300	10_1_0000000180052300
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_000000018002A360	10_1_000000018002A360
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800B43BC	10_1_00000001800B43BC
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_000000018002C410	10_1_000000018002C410
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180010410	10_1_0000000180010410
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180054440	10_1_0000000180054440
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800C2444	10_1_00000001800C2444
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180052460	10_1_0000000180052460
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_000000018005A480	10_1_000000018005A480
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800745B0	10_1_00000001800745B0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_000000018005260A	10_1_000000018005260A
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800B4638	10_1_00000001800B4638
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800CC634	10_1_00000001800CC634
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180058670	10_1_0000000180058670
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180010670	10_1_0000000180010670
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800566E0	10_1_00000001800566E0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180054750	10_1_0000000180054750
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180056883	10_1_0000000180056883
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180058890	10_1_0000000180058890
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_000000018004C8E0	10_1_000000018004C8E0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800528F3	10_1_00000001800528F3
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180010920	10_1_0000000180010920
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180054980	10_1_0000000180054980
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800529E0	10_1_00000001800529E0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180058A70	10_1_0000000180058A70
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800A4B1C	10_1_00000001800A4B1C
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800D2B48	10_1_00000001800D2B48
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180056B63	10_1_0000000180056B63
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180062B90	10_1_0000000180062B90
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_000000018001ABB0	10_1_000000018001ABB0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180066BC0	10_1_0000000180066BC0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180056C11	10_1_0000000180056C11
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180050C40	10_1_0000000180050C40
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180056C50	10_1_0000000180056C50
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180054C60	10_1_0000000180054C60
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180088C70	10_1_0000000180088C70
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180026CC0	10_1_0000000180026CC0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800D0D00	10_1_00000001800D0D00
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_000000018004CD40	10_1_000000018004CD40
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180010D50	10_1_0000000180010D50
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180040DA0	10_1_0000000180040DA0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_000000018000CE50	10_1_000000018000CE50
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180098E9C	10_1_0000000180098E9C
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180054EE0	10_1_0000000180054EE0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180008F70	10_1_0000000180008F70
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180062FB0	10_1_0000000180062FB0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800BEFBC	10_1_00000001800BEFBC
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180053020	10_1_0000000180053020
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180059040	10_1_0000000180059040
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_000000018007B060	10_1_000000018007B060
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800550B1	10_1_00000001800550B1
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180015110	10_1_0000000180015110
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800D71B0	10_1_00000001800D71B0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180029220	10_1_0000000180029220
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180011230	10_1_0000000180011230
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800BD250	10_1_00000001800BD250
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180031260	10_1_0000000180031260
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180031280	10_1_0000000180031280
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_000000018004B2B0	10_1_000000018004B2B0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800312F0	10_1_00000001800312F0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800C92F8	10_1_00000001800C92F8
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180021310	10_1_0000000180021310
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180031380	10_1_0000000180031380
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800BB3D8	10_1_00000001800BB3D8
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180031400	10_1_0000000180031400
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180057450	10_1_0000000180057450
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800D34DC	10_1_00000001800D34DC
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800074E0	10_1_00000001800074E0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180053570	10_1_0000000180053570
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_000000018005560A	10_1_000000018005560A
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_000000018007B630	10_1_000000018007B630
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180059640	10_1_0000000180059640
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_000000018005F640	10_1_000000018005F640
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180057670	10_1_0000000180057670
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800536D0	10_1_00000001800536D0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180055770	10_1_0000000180055770
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180011780	10_1_0000000180011780
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800A77D4	10_1_00000001800A77D4
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180045800	10_1_0000000180045800
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800CF818	10_1_00000001800CF818
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180045850	10_1_0000000180045850
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180045880	10_1_0000000180045880
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180053879	10_1_0000000180053879
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180059890	10_1_0000000180059890
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800BD8AC	10_1_00000001800BD8AC
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800458D0	10_1_00000001800458D0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_000000018003D8F0	10_1_000000018003D8F0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_000000018003B960	10_1_000000018003B960
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_000000018007B980	10_1_000000018007B980
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800159E0	10_1_00000001800159E0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800C9A64	10_1_00000001800C9A64
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180099A98	10_1_0000000180099A98
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180077AD0	10_1_0000000180077AD0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180055AE0	10_1_0000000180055AE0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180053B55	10_1_0000000180053B55
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800C7B80	10_1_00000001800C7B80
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800C5C40	10_1_00000001800C5C40
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180053C50	10_1_0000000180053C50
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_0000000180011C60	10_1_0000000180011C60
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_000000018007BCA0	10_1_000000018007BCA0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800CFD14	10_1_00000001800CFD14
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180058004	12_1_0000000180058004
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800D404C	12_1_00000001800D404C
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_000000018001A050	12_1_000000018001A050
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800B4140	12_1_00000001800B4140
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800101C0	12_1_00000001800101C0
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800D21EC	12_1_00000001800D21EC
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180054211	12_1_0000000180054211
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_000000018001E230	12_1_000000018001E230
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_000000018008A2A0	12_1_000000018008A2A0
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800D02AC	12_1_00000001800D02AC
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800582DF	12_1_00000001800582DF
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180052300	12_1_0000000180052300
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_000000018002A360	12_1_000000018002A360
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800B43BC	12_1_00000001800B43BC
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_000000018002C410	12_1_000000018002C410
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180010410	12_1_0000000180010410
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180054440	12_1_0000000180054440
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800C2444	12_1_00000001800C2444
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180052460	12_1_0000000180052460
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_000000018005A480	12_1_000000018005A480
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800745B0	12_1_00000001800745B0
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_000000018005260A	12_1_000000018005260A
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800B4638	12_1_00000001800B4638
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800CC634	12_1_00000001800CC634
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180058670	12_1_0000000180058670
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180010670	12_1_0000000180010670
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800566E0	12_1_00000001800566E0
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180054750	12_1_0000000180054750
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180056883	12_1_0000000180056883
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180058890	12_1_0000000180058890
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_000000018004C8E0	12_1_000000018004C8E0
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800528F3	12_1_00000001800528F3
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180010920	12_1_0000000180010920
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180054980	12_1_0000000180054980
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800529E0	12_1_00000001800529E0
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180058A70	12_1_0000000180058A70
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800A4B1C	12_1_00000001800A4B1C
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800D2B48	12_1_00000001800D2B48
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180056B63	12_1_0000000180056B63
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180062B90	12_1_0000000180062B90
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_000000018001ABB0	12_1_000000018001ABB0
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180066BC0	12_1_0000000180066BC0
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180056C11	12_1_0000000180056C11
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180050C40	12_1_0000000180050C40
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180056C50	12_1_0000000180056C50
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180054C60	12_1_0000000180054C60
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180088C70	12_1_0000000180088C70
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180026CC0	12_1_0000000180026CC0
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800D0D00	12_1_00000001800D0D00
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_000000018004CD40	12_1_000000018004CD40
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180010D50	12_1_0000000180010D50
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180040DA0	12_1_0000000180040DA0
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_000000018000CE50	12_1_000000018000CE50
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180098E9C	12_1_0000000180098E9C
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180054EE0	12_1_0000000180054EE0
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180008F70	12_1_0000000180008F70
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180062FB0	12_1_0000000180062FB0
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800BEFBC	12_1_00000001800BEFBC
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180053020	12_1_0000000180053020
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180059040	12_1_0000000180059040
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_000000018007B060	12_1_000000018007B060
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800550B1	12_1_00000001800550B1
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180015110	12_1_0000000180015110
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800D71B0	12_1_00000001800D71B0
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180029220	12_1_0000000180029220
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180011230	12_1_0000000180011230
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800BD250	12_1_00000001800BD250
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180031260	12_1_0000000180031260
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180031280	12_1_0000000180031280
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_000000018004B2B0	12_1_000000018004B2B0
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800312F0	12_1_00000001800312F0
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800C92F8	12_1_00000001800C92F8
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180021310	12_1_0000000180021310
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180031380	12_1_0000000180031380
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800BB3D8	12_1_00000001800BB3D8
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180031400	12_1_0000000180031400
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180057450	12_1_0000000180057450
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800D34DC	12_1_00000001800D34DC
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800074E0	12_1_00000001800074E0
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180053570	12_1_0000000180053570
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_000000018005560A	12_1_000000018005560A
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_000000018007B630	12_1_000000018007B630
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180059640	12_1_0000000180059640
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_000000018005F640	12_1_000000018005F640
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180057670	12_1_0000000180057670
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800536D0	12_1_00000001800536D0
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180055770	12_1_0000000180055770
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180011780	12_1_0000000180011780
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800A77D4	12_1_00000001800A77D4
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180045800	12_1_0000000180045800
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800CF818	12_1_00000001800CF818
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180045850	12_1_0000000180045850
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180045880	12_1_0000000180045880
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180053879	12_1_0000000180053879
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180059890	12_1_0000000180059890
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800BD8AC	12_1_00000001800BD8AC
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800458D0	12_1_00000001800458D0
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_000000018003D8F0	12_1_000000018003D8F0
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_000000018003B960	12_1_000000018003B960
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_000000018007B980	12_1_000000018007B980
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800159E0	12_1_00000001800159E0
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800C9A64	12_1_00000001800C9A64
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180099A98	12_1_0000000180099A98
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180077AD0	12_1_0000000180077AD0
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180055AE0	12_1_0000000180055AE0
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180053B55	12_1_0000000180053B55
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800C7B80	12_1_00000001800C7B80
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800C5C40	12_1_00000001800C5C40
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180053C50	12_1_0000000180053C50
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180011C60	12_1_0000000180011C60
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_000000018007BCA0	12_1_000000018007BCA0
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800CFD14	12_1_00000001800CFD14
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180053E30	12_1_0000000180053E30
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180057E70	12_1_0000000180057E70
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_0000000180069E80	12_1_0000000180069E80

Enables security privileges

Show sources

Source: C:\Windows\System32\msiexec.exe

Process token adjusted: Security

Jump to behavior

Found potential string decryption / allocating functions

Show sources

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000000180034730 appears 301 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000000018008B730 appears 48 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00000001800340E0 appears 219 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000000180033EB0 appears 70 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000000018003CFB0 appears 37 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000000018008B5CC appears 38 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000000180030EF0 appears 32 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000000180037140 appears 54 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00000001800345E0 appears 42 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000000018008EF10 appears 1421 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000000180037A10 appears 1090 times

PE file contains executable resources (Code or Archives)

Show sources

Source: xbox-service.exe.7.dr	Static PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract
Source: PDFescape_Desktop_Installer_3.0.25.584[1].exe.7.dr	Static PE information: Resource name: DLL type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: PDFescape_Desktop_Installer_3.0.25.584[1].exe.7.dr	Static PE information: Resource name: IDT_SZSR type: Zip archive data, at least v2.0 to extract

PE file contains strange resources

Show sources

Source: PDFescape_Desktop_Installer_3.0.25.584[1].exe.7.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: pagefile.sys.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: pagefile.sys.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: pagefile.sys.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Reads the hosts file

Show sources

Source: C:\Windows\System32\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Sample file is different than original file name gathered from version info

Show sources

Source: pdfescape-desktop-asian-and-extended.msi

Binary or memory string: OriginalFilenameprinteula.dllL vs pdfescape-desktop-asian-and-extended.msi

Tries to load missing DLLs

Show sources

Source: C:\Windows\System32\xbox-service.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll			Jump to behavior
Source: C:\Windows\System32\xbox-service.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll

PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)

Show sources

Source: xbox-service.exe.7.dr

Static PE information: Section: .rsrc ZLIB complexity 0.998208776846

Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)

Show sources

Source: metadata-2.2.dr	Binary string: buttonup_off.png22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.2.dr	Binary string: scenes_intro_bg_pal.wmv22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.2.dr	Binary string: keypad.xml22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\99program files\dvd maker\shared\dvdstyles\specialoccasion,,specialnavigationup_selectionsubpicture.png22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.2.dr	Binary string: acxtrnal.dll22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\((windows\diagnostics\system\device\en-us
Source: metadata-2.2.dr	Binary string: journal.exe22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.2.dr	Binary string: sbdrop.dll22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.2.dr	Binary string: system.web.dynamicdata.dll22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\BBprogram files (x86)\windows sidebar\gadgets\weather.gadget\images33docked_black_moon-waxing-gibbous_partly-cloudy.png22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.2.dr	Binary string: system.addin.contract.dll22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.2.dr	Binary string: wmplayer.exe.mui22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\BBprogram files (x86)\windows sidebar\gadgets\weather.gadget\images**undocked_black_moon-new_partly-cloudy.png22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\((windows\diagnostics\system\device\en-us
Source: metadata-2.2.dr	Binary string: highlight.png22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\66program files\windows sidebar\gadgets\rssfeeds.gadgeticon.png22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}

Classification label

Show sources

Source: classification engine

Classification label: mal44.rans.adwa.evad.mine.winMSI@503/506@3/5

Contains functionality to create services

Show sources

Source: C:\Windows\System32\xbox-service.exe	Code function: GetModuleFileNameA,OpenSCManagerA,MessageBoxA,CreateServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,		8_2_000000013F1B8DA0
Source: C:\Windows\System32\xbox-service.exe	Code function: GetModuleFileNameA,OpenSCManagerA,MessageBoxA,CreateServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,		9_1_000000013FBC8DA0

Contains functionality to instantiate COM classes

Show sources

Source: C:\Windows\System32\xbox-service.exe

Code function: 8_2_000000013F1B6360 CoCreateInstance,

8_2_000000013F1B6360

Contains functionality to load and extract PE file embedded resources

Show sources

Source: C:\Windows\System32\msiexec.exe

Code function: 7_1_000007FEF3943870 GetWindowsDirectoryA,FindResourceA,LoadResource,LockResource,SizeofResource,Sleep,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

7_1_000007FEF3943870

Contains functionality to modify services (start/stop/modify)

Show sources

Source: C:\Windows\System32\msiexec.exe

Code function: 7_1_000007FEF3943560 OpenSCManagerA,OpenServiceA,ChangeServiceConfigA,StartServiceA,CloseServiceHandle,CloseServiceHandle,

7_1_000007FEF3943560

Contains functionality to register a service control handler (likely the sample is a service DLL)

Show sources

Source: C:\Windows\System32\xbox-service.exe	Code function: 8_2_000000013F1BB330 RegQueryValueExA,StartServiceCtrlDispatcherA,GetLastError,RegCloseKey,RegCloseKey,		8_2_000000013F1BB330
Source: C:\Windows\System32\xbox-service.exe	Code function: 9_1_000000013FBCB330 RegQueryValueExA,StartServiceCtrlDispatcherA,GetLastError,RegCloseKey,RegCloseKey,		9_1_000000013FBCB330

Creates files inside the program directory

Show sources

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files\PDFescape Desktop

Jump to behavior

Creates temporary files

Show sources

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DFA7C98E8F99864179.TMP

Jump to behavior

Reads ini files

Show sources

Source: C:\Windows\SysWOW64\msiexec.exe

File read: C:\Windows\win.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Windows\SysWOW64\msiexec.exe

Key opened: HKEY_USERS\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Runs a DLL by calling functions

Show sources

Source: unknown

Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll

SQL strings found in memory and binary data

Show sources

Source: tmp2C70.tmp.7.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: tmp2C70.tmp.7.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: tmp2C70.tmp.7.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: tmp2C70.tmp.7.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

Sample is known by Antivirus

Show sources

Source: pdfescape-desktop-asian-and-extended.msi

virustotal: Detection: 22%

Spawns processes

Show sources

Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\pdfescape-desktop-asian-and-extended.msi'
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: unknown	Process created: C:\Windows\System32\VSSVC.exe C:\Windows\system32\vssvc.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k swprv
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\MsiExec.exe -Embedding D0DE56A5A4E90E630E24D08AB2B60C38
Source: unknown	Process created: C:\Windows\System32\xbox-service.exe C:\Windows\system32\xbox-service.exe -service
Source: unknown	Process created: C:\Windows\System32\xbox-service.exe C:\Windows\system32\xbox-service.exe
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\MsiExec.exe -Embedding D0DE56A5A4E90E630E24D08AB2B60C38	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\xbox-service.exe C:\Windows\system32\xbox-service.exe -service	Jump to behavior
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Windows\pagefile.sys,dll
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown
Source: C:\Windows\System32\xbox-service.exe	Process created: unknown unknown

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\SysWOW64\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32

Jump to behavior

Found GUI installer (many successful clicks)

Show sources

Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: I accept the terms in the License Agreement
Source: C:\Windows\SysWOW64\msiexec.exe	Automated click: Install

Found installer window with terms and condition text

Show sources

Source: C:\Windows\SysWOW64\msiexec.exe

Window detected: WixUI_Bmp_DialogI &accept the terms in the License Agreement&Print&Back&InstallCancelThe software that is subject to this End User's Software License Agreement ("EULA") is the PDFescape Desktop software (the "Licensed Software" as more fully defined below). This EULA is a legally binding agreement between the end user (the "Licensee") and Red Software (the "Licensor") pursuant to which the Licensor licenses the use of the Licensed Software to the end user (the "Licensee").Please read it carefully. If you have any questions concerning this EULA please contact the Licensor. Any installing copying accessing or using the Licensed Software by you (the "Licensee") constitutes Licensee's acceptance of and promise to comply with all of the terms and conditions of this EULA.Revised 2016-04-04LICENSE TERMS1. SOFTWARE CONTENTThe "Licensed Software" includes all of the contents of the files disk(s) CD-ROM(s) DVDs or other media for which this EULA is provided including:(1)third party computer information or software that

Creates a directory in C:\Program Files

Show sources

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\78-EUC-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\78-EUC-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\78-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\78-RKSJ-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\78-RKSJ-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\78-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\78ms-RKSJ-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\78ms-RKSJ-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\83pv-RKSJ-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\90ms-RKSJ-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\90ms-RKSJ-UCS2	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\90ms-RKSJ-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\90msp-RKSJ-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\90msp-RKSJ-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\90pv-RKSJ-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\90pv-RKSJ-UCS2	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\90pv-RKSJ-UCS2C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\90pv-RKSJ-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Add-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Add-RKSJ-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Add-RKSJ-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Add-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-CNS1-0	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-CNS1-1	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-CNS1-2	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-CNS1-3	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-CNS1-4	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-CNS1-5	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-CNS1-B5pc	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-CNS1-ETenms-B5	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-CNS1-H-CID	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-CNS1-H-Host	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-CNS1-H-Mac	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-CNS1-UCS2	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-GB1-0	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-GB1-1	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-GB1-2	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-GB1-3	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-GB1-4	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-GB1-5	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-GB1-GBK-EUC	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-GB1-GBpc-EUC	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-GB1-H-CID	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-GB1-H-Host	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-GB1-H-Mac	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-GB1-UCS2	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-Japan1-0	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-Japan1-1	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-Japan1-2	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-Japan1-3	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-Japan1-4	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-Japan1-5	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-Japan1-6	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-Japan1-90ms-RKSJ	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-Japan1-90pv-RKSJ	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-Japan1-H-CID	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-Japan1-H-Host	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-Japan1-H-Mac	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-Japan1-PS-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-Japan1-PS-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-Japan1-UCS2	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-Japan2-0	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-Korea1-0	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-Korea1-1	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-Korea1-2	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-Korea1-H-CID	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-Korea1-H-Host	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-Korea1-H-Mac	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-Korea1-KSCms-UHC	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-Korea1-KSCpc-EUC	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Adobe-Korea1-UCS2	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\B5-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\B5-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\B5pc-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\B5pc-UCS2	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\B5pc-UCS2C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\B5pc-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\CNS-EUC-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\CNS-EUC-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\CNS01-RKSJ-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\CNS02-RKSJ-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\CNS03-RKSJ-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\CNS04-RKSJ-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\CNS05-RKSJ-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\CNS06-RKSJ-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\CNS07-RKSJ-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\CNS1-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\CNS1-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\CNS15-RKSJ-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\CNS2-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\CNS2-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\ETen-B5-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\ETen-B5-UCS2	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\ETen-B5-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\ETenms-B5-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\ETenms-B5-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\ETHK-B5-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\ETHK-B5-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\EUC-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\EUC-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Ext-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Ext-RKSJ-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Ext-RKSJ-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Ext-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\GB-EUC-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\GB-EUC-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\GB-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\GB-RKSJ-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\GB-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\GBK-EUC-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\GBK-EUC-UCS2	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\GBK-EUC-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\GBK2K-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\GBK2K-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\GBKp-EUC-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\GBKp-EUC-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\GBpc-EUC-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\GBpc-EUC-UCS2	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\GBpc-EUC-UCS2C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\GBpc-EUC-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\GBT-EUC-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\GBT-EUC-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\GBT-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\GBT-RKSJ-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\GBT-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\GBTpc-EUC-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\GBTpc-EUC-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Hankaku	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Hiragana	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\HK-RKSJ-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\HKdla-B5-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\HKdla-B5-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\HKdlb-B5-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\HKdlb-B5-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\HKgccs-B5-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\HKgccs-B5-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\HKm314-B5-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\HKm314-B5-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\HKm471-B5-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\HKm471-B5-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\HKscs-B5-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\HKscs-B5-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Hojo-EUC-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Hojo-EUC-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Hojo-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Hojo-RKSJ-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Hojo-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Identity-UTF16-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Identity-UTF16-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Katakana	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\KSC-EUC-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\KSC-EUC-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\KSC-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\KSC-Johab-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\KSC-Johab-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\KSC-RKSJ-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\KSC-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\KSC2-RKSJ-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\KSCms-UHC-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\KSCms-UHC-HW-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\KSCms-UHC-HW-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\KSCms-UHC-UCS2	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\KSCms-UHC-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\KSCpc-EUC-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\KSCpc-EUC-UCS2	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\KSCpc-EUC-UCS2C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\KSCpc-EUC-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\NWP-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\NWP-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\RKSJ-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\RKSJ-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\Roman	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\TCVN-RKSJ-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UCS2-90ms-RKSJ	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UCS2-90pv-RKSJ	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UCS2-B5pc	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UCS2-ETen-B5	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UCS2-GBK-EUC	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UCS2-GBpc-EUC	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UCS2-KSCms-UHC	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UCS2-KSCpc-EUC	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniCNS-UCS2-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniCNS-UCS2-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniCNS-UTF16-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniCNS-UTF16-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniCNS-UTF32-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniCNS-UTF32-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniCNS-UTF8-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniCNS-UTF8-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniGB-UCS2-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniGB-UCS2-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniGB-UTF16-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniGB-UTF16-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniGB-UTF32-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniGB-UTF32-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniGB-UTF8-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniGB-UTF8-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniHojo-UCS2-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniHojo-UCS2-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniHojo-UTF16-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniHojo-UTF16-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniHojo-UTF32-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniHojo-UTF32-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniHojo-UTF8-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniHojo-UTF8-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniJIS-UCS2-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniJIS-UCS2-HW-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniJIS-UCS2-HW-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniJIS-UCS2-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniJIS-UTF16-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniJIS-UTF16-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniJIS-UTF32-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniJIS-UTF32-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniJIS-UTF8-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniJIS-UTF8-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniJIS2004-UTF16-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniJIS2004-UTF16-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniJIS2004-UTF32-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniJIS2004-UTF32-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniJIS2004-UTF8-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniJIS2004-UTF8-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniJISPro-UCS2-HW-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniJISPro-UCS2-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniJISPro-UTF8-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniJISX0213-UTF32-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniJISX0213-UTF32-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniJISX02132004-UTF32-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniJISX02132004-UTF32-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniKS-UCS2-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniKS-UCS2-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniKS-UTF16-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniKS-UTF16-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniKS-UTF32-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniKS-UTF32-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniKS-UTF8-H	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\UniKS-UTF8-V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\V	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\PDFescape Desktop\resources\CMap\WP-Symbol	Jump to behavior

Creates a software uninstall entry

Show sources

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Uninstall\{B52074CE-AD76-4FB0-A18E-750A76508F5E}

Jump to behavior

Submission file is bigger than most known malware samples

Show sources

Source: pdfescape-desktop-asian-and-extended.msi

Static file information: File size 5918720 > 1048576

Binary contains paths to debug symbols

Show sources

Source:	Binary string: C:\progects\mining-service\xmr\build\x64\Release\service64.pdb" source: xbox-service.exe, 00000009.00000001.12620962077.000000013FBF0000.00000002.sdmp, pdfescape-desktop-asian-and-extended.msi
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -D"WINVER=0x0501" -D"_WIN32_WINNT=0x0501" -D"_USING_V110_SDK71_" source: tmp2C70.tmp.7.dr
Source:	Binary string: D:\LULU\TempBuilds\TemporaryBuilds\CAN_Installer_Builder_1\9\s\_bin\PDFescape\Win32\PDFescapeDesktopInstaller.pdb". source: tmp2C70.tmp.7.dr
Source:	Binary string: C:\progects\mining-service\xmr\build\Release\service32.pdb source: pdfescape-desktop-asian-and-extended.msi
Source:	Binary string: C:\progects\mining-service\xmr\build\x64\Release\service64.pdb source: xbox-service.exe, 00000009.00000001.12620962077.000000013FBF0000.00000002.sdmp, pdfescape-desktop-asian-and-extended.msi
Source:	Binary string: D:\LULU\TempBuilds\TemporaryBuilds\CAN_Installer_Builder_1\9\s\_bin\PDFescape\Win32\PDFescapeStatisticsDll.pdb source: tmp2C70.tmp.7.dr
Source:	Binary string: D:\LULU\TempBuilds\TemporaryBuilds\CAN_Installer_Builder_1\9\s\_bin\PDFescape\Win32\PDFescapeDesktopInstaller.pdb source: tmp2C70.tmp.7.dr
Source:	Binary string: ?crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -D"WINVER=0x0501" -D"_WIN32_WINNT=0x0501" -D"_USING_V110_SDK71_"crypto\bio\bio_lib.c source: tmp2C70.tmp.7.dr
Source:	Binary string: C:\delivery\Dev\wix30_public\build\ship\x86\PrintEula.pdb source: pdfescape-desktop-asian-and-extended.msi

Data Obfuscation:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 10_1_00000001800A2778 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_1_00000001800A2778

PE file contains an invalid checksum

Show sources

Source: xbox-service.exe.7.dr	Static PE information: real checksum: 0x0 should be: 0xf91e3
Source: pagefile.sys.9.dr	Static PE information: real checksum: 0x176fd5 should be:
Source: PDFescape_Desktop_Installer_3.0.25.584[1].exe.7.dr	Static PE information: real checksum: 0xb9e019 should be:

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\System32\msiexec.exe

Executable created and started: C:\Windows\system32\xbox-service.exe

Jump to behavior

Drops PE files

Show sources

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\xbox-service.exe	Jump to dropped file
Source: C:\Windows\System32\xbox-service.exe	File created: C:\Windows\pagefile.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB0F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user~1\AppData\Local\Temp\tmp2C70.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GOPT6FQ2\PDFescape_Desktop_Installer_3.0.25.584[1].exe	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Show sources

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\xbox-service.exe	Jump to dropped file
Source: C:\Windows\System32\xbox-service.exe	File created: C:\Windows\pagefile.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB0F.tmp	Jump to dropped file

May use bcdedit to modify the Windows boot settings

Show sources

Source: metadata-2.2.dr	Binary or memory string: bcdedit.exe22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\
Source: metadata-2.2.dr	Binary or memory string: bcdedit.exe.mui22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\

Boot Survival:

Creates or modifies windows services

Show sources

Source: C:\Windows\System32\msiexec.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher

Jump to behavior

Modifies existing windows services

Show sources

Source: C:\Windows\System32\msiexec.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore

Jump to behavior

Contains functionality to start windows services

Show sources

Source: C:\Windows\System32\msiexec.exe

Code function: 7_1_000007FEF3943560 OpenSCManagerA,OpenServiceA,ChangeServiceConfigA,StartServiceA,CloseServiceHandle,CloseServiceHandle,

7_1_000007FEF3943560

Hooking and other Techniques for Hiding and Protection:

Extensive use of GetProcAddress (often used to hide API calls)

Show sources

Source: C:\Windows\System32\msiexec.exe

Code function: 7_1_000007FEF3947D48 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

7_1_000007FEF3947D48

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Checks the free space of harddrives

Show sources

Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Windows\System32\xbox-service.exe	Thread delayed: delay time: 600000
Source: C:\Windows\System32\xbox-service.exe	Thread delayed: delay time: 600000

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Windows\System32\xbox-service.exe

Window / User API: threadDelayed 462

Found dropped PE file which has not been started or loaded

Show sources

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\tmp2C70.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GOPT6FQ2\PDFescape_Desktop_Installer_3.0.25.584[1].exe			Jump to dropped file

Found large amount of non-executed APIs

Show sources

Source: C:\Windows\System32\xbox-service.exe	API coverage: 9.6 %
Source: C:\Windows\System32\rundll32.exe	API coverage: 4.1 %
Source: C:\Windows\System32\rundll32.exe	API coverage: 4.0 %

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\msiexec.exe TID: 2664	Thread sleep time: -300000s >= -60000s	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe TID: 2388	Thread sleep time: -180000s >= -60000s	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe TID: 2388	Thread sleep time: -60000s >= -60000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2776	Thread sleep time: -60000s >= -60000s	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 284	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 284	Thread sleep time: -2460000s >= -60000s	Jump to behavior
Source: C:\Windows\System32\xbox-service.exe TID: 2696	Thread sleep time: -101738s >= -60000s
Source: C:\Windows\System32\xbox-service.exe TID: 2696	Thread sleep count: 462 > 30
Source: C:\Windows\System32\xbox-service.exe TID: 2696	Thread sleep time: -277200000s >= -60000s
Source: C:\Windows\System32\xbox-service.exe TID: 2696	Thread sleep time: -600000s >= -60000s

Sample execution stops while process was sleeping (likely an evasion)

Show sources

Source: C:\Windows\System32\xbox-service.exe

Last function: Thread delayed

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Windows\System32\msiexec.exe	Code function: 7_1_000007FEF3941F30 FindFirstFileExW,	7_1_000007FEF3941F30
Source: C:\Windows\System32\msiexec.exe	Code function: 7_1_000007FEF3959598 FindFirstFileExA,	7_1_000007FEF3959598
Source: C:\Windows\System32\xbox-service.exe	Code function: 8_2_000000013F1D33D4 FindFirstFileExA,	8_2_000000013F1D33D4
Source: C:\Windows\System32\xbox-service.exe	Code function: 9_1_000000013FBE33D4 FindFirstFileExA,	9_1_000000013FBE33D4
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800C9C70 FindFirstFileExA,	10_1_00000001800C9C70
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800C9C70 FindFirstFileExA,	12_1_00000001800C9C70

Contains functionality to query system information

Show sources

Source: C:\Windows\System32\xbox-service.exe

Code function: 8_2_000000013F1C5370 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

8_2_000000013F1C5370

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: msiexec.exe, 00000002.00000003.12408141029.0000000002C6C000.00000004.sdmp	Binary or memory string: microsoft-hyper-v-migration-replacement.man
Source: metadata-2.2.dr	Binary or memory string: lsm.exe22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests,,microsoft-hyper-v-migration-replacement.man22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\
Source: msiexec.exe, 00000002.00000003.12440495715.000000000423A000.00000004.sdmp	Binary or memory string: microsoft-hyper-v-client-migration-replacement.man
Source: msiexec.exe, 00000002.00000003.12440495715.000000000423A000.00000004.sdmp	Binary or memory string: microsoft-hyper-v-drivers-migration-replacement.man`
Source: metadata-2.2.dr	Binary or memory string: iasmigplugin-dl.man22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests33microsoft-hyper-v-client-migration-replacement.man22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\##windows\system32\spp\tokens\ppdlic
Source: metadata-2.2.dr	Binary or memory string: imscmig.dll22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests44microsoft-hyper-v-drivers-migration-replacement.man22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\
Source: metadata-2.2.dr	Binary or memory string: iasmigplugin-dl.man22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\--windows\syswow64\migwiz\replacementmanifests33microsoft-hyper-v-client-migration-replacement.man22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\,,program files (x86)\internet explorer\en-us

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\SysWOW64\msiexec.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Show sources

Source: C:\Windows\System32\msiexec.exe

Code function: 7_1_000007FEF394CFD4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_1_000007FEF394CFD4

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Show sources

Source: C:\Windows\System32\msiexec.exe

Code function: 7_1_000007FEF394844C GetLastError,IsDebuggerPresent,OutputDebugStringW,

7_1_000007FEF394844C

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 10_1_00000001800A2778 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_1_00000001800A2778

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Windows\System32\msiexec.exe

Code function: 7_1_000007FEF395521C GetProcessHeap,

7_1_000007FEF395521C

Contains functionality to register its own exception handler

Show sources

Source: C:\Windows\System32\msiexec.exe	Code function: 7_1_000007FEF3949364 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_1_000007FEF3949364
Source: C:\Windows\System32\msiexec.exe	Code function: 7_1_000007FEF394CFD4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_1_000007FEF394CFD4
Source: C:\Windows\System32\msiexec.exe	Code function: 7_1_000007FEF3949608 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_1_000007FEF3949608
Source: C:\Windows\System32\xbox-service.exe	Code function: 8_2_000000013F1BFC90 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,	8_2_000000013F1BFC90
Source: C:\Windows\System32\xbox-service.exe	Code function: 8_2_000000013F1C4F10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_000000013F1C4F10
Source: C:\Windows\System32\xbox-service.exe	Code function: 8_2_000000013F1C0324 SetUnhandledExceptionFilter,	8_2_000000013F1C0324
Source: C:\Windows\System32\xbox-service.exe	Code function: 8_2_000000013F1BF114 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_000000013F1BF114
Source: C:\Windows\System32\xbox-service.exe	Code function: 8_2_000000013F1C014C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_000000013F1C014C
Source: C:\Windows\System32\xbox-service.exe	Code function: 9_1_000000013FBCFC90 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,	9_1_000000013FBCFC90
Source: C:\Windows\System32\xbox-service.exe	Code function: 9_1_000000013FBD4F10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_1_000000013FBD4F10
Source: C:\Windows\System32\xbox-service.exe	Code function: 9_1_000000013FBD0324 SetUnhandledExceptionFilter,	9_1_000000013FBD0324
Source: C:\Windows\System32\xbox-service.exe	Code function: 9_1_000000013FBCF114 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_1_000000013FBCF114
Source: C:\Windows\System32\xbox-service.exe	Code function: 9_1_000000013FBD014C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_1_000000013FBD014C
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_000000018008E8CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_1_000000018008E8CC
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800B0FF4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_1_00000001800B0FF4
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_000000018008F444 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_1_000000018008F444
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_000000018008E8CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_1_000000018008E8CC
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800B0FF4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_1_00000001800B0FF4
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_000000018008F444 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_1_000000018008F444

HIPS / PFW / Operating System Protection Evasion:

Modifies the hosts file

Show sources

Source: C:\Windows\System32\msiexec.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Mutes Antivirus updates and installments via hosts file black listing

Show sources

Source: C:\Windows\System32\msiexec.exe

Hosts file modification: 127.0.0.1 update.eset.com

Jump to dropped file

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: tmp2C70.tmp.7.dr

Binary or memory string: E#more-details#restartRestart button clickedd:\lulu\tempbuilds\temporarybuilds\can_installer_builder_1\9\s\glaminstallercom\balloonview.cpp.popup-info p.top-loaderShell_TrayWnd,

Language, Device and Operating System Detection:

Contains functionality locales information (e.g. system language)

Show sources

Source: C:\Windows\System32\msiexec.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	7_1_000007FEF395DA4C
Source: C:\Windows\System32\msiexec.exe	Code function: EnumSystemLocalesW,	7_1_000007FEF3955288
Source: C:\Windows\System32\msiexec.exe	Code function: EnumSystemLocalesW,	7_1_000007FEF395D9B4
Source: C:\Windows\System32\msiexec.exe	Code function: EnumSystemLocalesW,	7_1_000007FEF395D8E4
Source: C:\Windows\System32\msiexec.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	7_1_000007FEF395DFC4
Source: C:\Windows\System32\msiexec.exe	Code function: GetLocaleInfoW,	7_1_000007FEF3955724
Source: C:\Windows\System32\msiexec.exe	Code function: GetLocaleInfoW,	7_1_000007FEF395DE8C
Source: C:\Windows\System32\msiexec.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_1_000007FEF395DDDC
Source: C:\Windows\System32\msiexec.exe	Code function: TranslateName,TranslateName,IsValidCodePage,wcschr,wcschr,GetLocaleInfoW,	7_1_000007FEF395D5D8
Source: C:\Windows\System32\msiexec.exe	Code function: GetLocaleInfoW,	7_1_000007FEF395DC90
Source: C:\Windows\System32\xbox-service.exe	Code function: EnumSystemLocalesW,	8_2_000000013F1D6F44
Source: C:\Windows\System32\xbox-service.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	8_2_000000013F1D6FDC
Source: C:\Windows\System32\xbox-service.exe	Code function: EnumSystemLocalesW,	8_2_000000013F1D6E74
Source: C:\Windows\System32\xbox-service.exe	Code function: GetLocaleInfoW,	8_2_000000013F1CFD04
Source: C:\Windows\System32\xbox-service.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_000000013F1D7554
Source: C:\Windows\System32\xbox-service.exe	Code function: GetLocaleInfoW,	8_2_000000013F1D741C
Source: C:\Windows\System32\xbox-service.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_000000013F1D736C
Source: C:\Windows\System32\xbox-service.exe	Code function: TranslateName,TranslateName,IsValidCodePage,wcschr,wcschr,GetLocaleInfoW,	8_2_000000013F1D6B68
Source: C:\Windows\System32\xbox-service.exe	Code function: GetLocaleInfoW,	8_2_000000013F1D7220
Source: C:\Windows\System32\xbox-service.exe	Code function: EnumSystemLocalesW,	8_2_000000013F1CF868
Source: C:\Windows\System32\xbox-service.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	9_1_000000013FBE6FDC
Source: C:\Windows\System32\xbox-service.exe	Code function: EnumSystemLocalesW,	9_1_000000013FBE6F44
Source: C:\Windows\System32\xbox-service.exe	Code function: EnumSystemLocalesW,	9_1_000000013FBE6E74
Source: C:\Windows\System32\xbox-service.exe	Code function: GetLocaleInfoW,	9_1_000000013FBDFD04
Source: C:\Windows\System32\xbox-service.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	9_1_000000013FBE7554
Source: C:\Windows\System32\xbox-service.exe	Code function: GetLocaleInfoW,	9_1_000000013FBE741C
Source: C:\Windows\System32\xbox-service.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	9_1_000000013FBE736C
Source: C:\Windows\System32\xbox-service.exe	Code function: TranslateName,TranslateName,IsValidCodePage,wcschr,wcschr,GetLocaleInfoW,	9_1_000000013FBE6B68
Source: C:\Windows\System32\xbox-service.exe	Code function: GetLocaleInfoW,	9_1_000000013FBE7220
Source: C:\Windows\System32\xbox-service.exe	Code function: EnumSystemLocalesW,	9_1_000000013FBDF868

Contains functionality to query CPU information (cpuid)

Show sources

Source: C:\Windows\System32\msiexec.exe

Code function: 7_1_000007FEF3958EB0 cpuid

7_1_000007FEF3958EB0

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Contains functionality to query local / system time

Show sources

Source: C:\Windows\System32\msiexec.exe

Code function: 7_1_000007FEF39499C4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

7_1_000007FEF39499C4

Contains functionality to query time zone information

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 10_1_00000001800C7B80 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

10_1_00000001800C7B80

Contains functionality to query windows version

Show sources

Source: C:\Windows\System32\rundll32.exe

Code function: 10_1_00000001800342F0 GetStdHandle,GetFileType,MultiByteToWideChar,GetVersion,RegisterEventSourceW,ReportEventW,DeregisterEventSource,MessageBoxW,

10_1_00000001800342F0

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\SysWOW64\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Modifies the hosts file

Show sources

Source: C:\Windows\System32\msiexec.exe

File written: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

AV process strings found (often used to terminate AV products)

Show sources

Source: msiexec.exe, 00000002.00000003.12440495715.000000000423A000.00000004.sdmp	Binary or memory string: msascui.exe
Source: msiexec.exe, 00000002.00000003.12440495715.000000000423A000.00000004.sdmp	Binary or memory string: mcupdate.exe

Remote Access Functionality:

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Show sources

Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800A64E8 Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::WorkItem::Bind,	10_1_00000001800A64E8
Source: C:\Windows\System32\rundll32.exe	Code function: 10_1_00000001800A53B4 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::WorkItem::Bind,Concurrency::details::SchedulerBase::GetInternalContext,	10_1_00000001800A53B4
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800A64E8 Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::WorkItem::Bind,	12_1_00000001800A64E8
Source: C:\Windows\System32\rundll32.exe	Code function: 12_1_00000001800A53B4 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::WorkItem::Bind,Concurrency::details::SchedulerBase::GetInternalContext,	12_1_00000001800A53B4

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
13:21:50	API Interceptor	142x Sleep call for process: msiexec.exe modified
13:21:55	API Interceptor	3x Sleep call for process: svchost.exe modified
13:22:01	API Interceptor	3x Sleep call for process: mscorsvw.exe modified
13:23:27	API Interceptor	468x Sleep call for process: xbox-service.exe modified

Antivirus Detection

Initial Sample

Source	Detection	Scanner	Label	Link
pdfescape-desktop-asian-and-extended.msi	22%	virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\System32\xbox-service.exe	100%	Avira	HEUR/AGEN.1013443

Unpacked PE Files

Source	Detection	Scanner	Label
8.1.xbox-service.exe.13f1b0000.0.unpack	100%	Avira	HEUR/AGEN.1013443
8.2.xbox-service.exe.13f1b0000.0.unpack	100%	Avira	HEUR/AGEN.1013443
8.0.xbox-service.exe.13f1b0000.2.unpack	100%	Avira	HEUR/AGEN.1013443
9.1.xbox-service.exe.13fbc0000.0.unpack	100%	Avira	HEUR/AGEN.1013443
9.0.xbox-service.exe.13fbc0000.0.unpack	100%	Avira	HEUR/AGEN.1013443
8.0.xbox-service.exe.13f1b0000.0.unpack	100%	Avira	HEUR/AGEN.1013443
8.0.xbox-service.exe.13f1b0000.3.unpack	100%	Avira	HEUR/AGEN.1013443
8.0.xbox-service.exe.13f1b0000.1.unpack	100%	Avira	HEUR/AGEN.1013443

Domains

Source	Detection	Scanner	Link
pdfedesktopmsi.b-cdn.net	0%	virustotal	Browse
cdn.lulusoft.com	0%	virustotal	Browse
partner1.lulusoft.com	0%	virustotal	Browse
download-desktop-msi.pdfescape.com	0%	virustotal	Browse

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
64.15.159.203	PDF_Architect_6_Installer.exe .exe	a7286b80224e7d034f39e614b040ecce0d2916b9a20b248301184186723591d1	malicious	Browse	cdn.lulusoft.com/download/pdfarchitect/pdfarch6/glamour

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
cdn.lulusoft.com	PDF_Architect_6_Installer.exe .exe	a7286b80224e7d034f39e614b040ecce0d2916b9a20b248301184186723591d1	malicious	Browse	64.15.159.203

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VENUS-INTERNET-ASGB	ntVhnbr5F.exe	94fe0e8a61c506fba45d14571a14dc259e1d52778cef8366ce8cbdcd871e28db	malicious	Browse	82.102.21.90
IWEB-AS-iWebTechnologiesIncCA	http://wcdownloadercdn.lavasoft.com/4.0.1767.3319/WcInstaller.exe		malicious	Browse	72.55.154.81
	https://steakncake.com/Contracting/foundation.com.html		malicious	Browse	184.107.226.138
	16information.exe	ecf99b89356eb88ac2d7aabe49453829561196937d12b2ac8b1f9c6a16a0e3b3	malicious	Browse	192.175.119.132
	1LqOyBqqKwJ.exe	16e902bd262ec1fb8889f22927fd0cebc93e874ce5448ca27708f90c2546baed	malicious	Browse	64.15.135.145
	Documents.doc	c66c84f8ceaa3402958e94c264c022d462d7ed01639744416602d810cd47cef9	malicious	Browse	184.107.35.132
	3900494915.doc.js	7a28268d0b661fe555f774cf22bf9ba99f8525e524b7724d9c8a4567956529df	malicious	Browse	184.107.174.122
	sima-mehta.com/new-order		malicious	Browse	198.50.100.242
	49ATTACHMEN.exe	105e23db2f6fe01469e8eff5131c0cfb108d469f2c819d6f0c30ae9a46c8fd9f	malicious	Browse	174.142.225.233
	https://lomassmith.co.uk/Privates/foundation.com.html		malicious	Browse	184.107.226.138
	.exe	1f7e7d2f28c4173ab033bf8945ed5ea7641301c83c41baf81c878a99dfff2dea	malicious	Browse	174.142.225.233
	http://dance-u.com/Helpdesk/OWA.html		malicious	Browse	184.107.176.122
	http://south-floridaattorney.com/indictment-vs-information-in-a-criminal-case/		malicious	Browse	184.107.41.75
	PDF_Architect_6_Installer.exe .exe	a7286b80224e7d034f39e614b040ecce0d2916b9a20b248301184186723591d1	malicious	Browse	64.15.159.224
	FedEx_AWB invoic.exe	4eca73174bcdbc8c7fd352834cfb9db02e9554c3f06ccd2a0340da67ea7f093e	malicious	Browse	184.107.112.115
	http://karimatlassi.com/assets/demme/direct.php?email=tdaniels@coe.montana.edu		malicious	Browse	174.142.53.42
	http://teachingacademy.co.uk/wp-includes/css/ekwe/direct.php?email=austin.leach@montana.edu		malicious	Browse	174.142.53.42
	11.html .exe	7c8f8cd47ce05c5d4323765edc9fa8804b48a28442f4f7bee33707e2c1596a6b	malicious	Browse	64.15.135.145
	19youtube.exe	db3ee875ef668d4fd0d8b15f659868281f41cdf9993b81f531b6eb87334dfde9	malicious	Browse	184.107.21.170
	3900494915.doc.js	7a28268d0b661fe555f774cf22bf9ba99f8525e524b7724d9c8a4567956529df	malicious	Browse	184.107.174.122
	download.ap.bittorrent.com/track/stable/endpoint/utorrent/os/windows		malicious	Browse	72.55.154.81
IWEB-AS-iWebTechnologiesIncCA	http://wcdownloadercdn.lavasoft.com/4.0.1767.3319/WcInstaller.exe		malicious	Browse	72.55.154.81
	https://steakncake.com/Contracting/foundation.com.html		malicious	Browse	184.107.226.138
	16information.exe	ecf99b89356eb88ac2d7aabe49453829561196937d12b2ac8b1f9c6a16a0e3b3	malicious	Browse	192.175.119.132
	1LqOyBqqKwJ.exe	16e902bd262ec1fb8889f22927fd0cebc93e874ce5448ca27708f90c2546baed	malicious	Browse	64.15.135.145
	Documents.doc	c66c84f8ceaa3402958e94c264c022d462d7ed01639744416602d810cd47cef9	malicious	Browse	184.107.35.132
	3900494915.doc.js	7a28268d0b661fe555f774cf22bf9ba99f8525e524b7724d9c8a4567956529df	malicious	Browse	184.107.174.122
	sima-mehta.com/new-order		malicious	Browse	198.50.100.242
	49ATTACHMEN.exe	105e23db2f6fe01469e8eff5131c0cfb108d469f2c819d6f0c30ae9a46c8fd9f	malicious	Browse	174.142.225.233
	https://lomassmith.co.uk/Privates/foundation.com.html		malicious	Browse	184.107.226.138
	.exe	1f7e7d2f28c4173ab033bf8945ed5ea7641301c83c41baf81c878a99dfff2dea	malicious	Browse	174.142.225.233
	http://dance-u.com/Helpdesk/OWA.html		malicious	Browse	184.107.176.122
	http://south-floridaattorney.com/indictment-vs-information-in-a-criminal-case/		malicious	Browse	184.107.41.75
	PDF_Architect_6_Installer.exe .exe	a7286b80224e7d034f39e614b040ecce0d2916b9a20b248301184186723591d1	malicious	Browse	64.15.159.224
	FedEx_AWB invoic.exe	4eca73174bcdbc8c7fd352834cfb9db02e9554c3f06ccd2a0340da67ea7f093e	malicious	Browse	184.107.112.115
	http://karimatlassi.com/assets/demme/direct.php?email=tdaniels@coe.montana.edu		malicious	Browse	174.142.53.42
	http://teachingacademy.co.uk/wp-includes/css/ekwe/direct.php?email=austin.leach@montana.edu		malicious	Browse	174.142.53.42
	11.html .exe	7c8f8cd47ce05c5d4323765edc9fa8804b48a28442f4f7bee33707e2c1596a6b	malicious	Browse	64.15.135.145
	19youtube.exe	db3ee875ef668d4fd0d8b15f659868281f41cdf9993b81f531b6eb87334dfde9	malicious	Browse	184.107.21.170
	3900494915.doc.js	7a28268d0b661fe555f774cf22bf9ba99f8525e524b7724d9c8a4567956529df	malicious	Browse	184.107.174.122
	download.ap.bittorrent.com/track/stable/endpoint/utorrent/os/windows		malicious	Browse	72.55.154.81

Dropped Files

No context

Screenshots

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

AV Detection:

Cryptography:

Bitcoin Miner:

Spreading:

Networking:

Spam, unwanted Advertisements and Ransom Demands:

DDoS:

Operating System Destruction:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Remote Access Functionality:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

Dropped Files

Screenshots