Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:22.0.0
Analysis ID:553091
Start time:14:11:01
Joe Sandbox Product:Cloud
Start date:11.05.2018
Overall analysis duration:0h 14m 8s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:GAygkOwh9t
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 7 x64 (Office 2003 SP3, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 41, Firefox 36)
Number of analysed new started processes analysed:22
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.evad.expl.spyw.troj.win@15/1083@9/100
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 126
  • Number of non-executed functions: 161
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 75.8% (good quality ratio 37.9%)
  • Quality average: 32.8%
  • Quality standard deviation: 38%
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
Warnings:
Show All
  • Exclude process from analysis (whitelisted): mscorsvw.exe, svchost.exe, WerFault.exe, WMIADAP.exe, dllhost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryDirectoryFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Report size getting too big, too many NtWriteFile calls found.

Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample is a service DLL but no service has been registered
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for submitted fileShow sources
Source: GAygkOwh9tAvira: Label: TR/Ransom.xmaww
Multi AV Scanner detection for submitted fileShow sources
Source: GAygkOwh9tvirustotal: Detection: 45%Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01379780 EntryPoint,CryptAcquireContextA,CreateThread,WaitForMultipleObjects,4_2_01379780
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_0136E7F0 CryptAcquireContextA,4_2_0136E7F0
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_1_01379780 EntryPoint,CryptAcquireContextA,CreateThread,WaitForMultipleObjects,4_1_01379780
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_1_0136E7F0 CryptAcquireContextA,4_1_0136E7F0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_00399780 EntryPoint,CryptAcquireContextA,CreateThread,WaitForMultipleObjects,5_2_00399780
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_0038E7F0 CryptAcquireContextA,5_2_0038E7F0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 6_2_0018E7F0 CryptAcquireContextA,6_2_0018E7F0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 6_2_00199780 EntryPoint,CryptAcquireContextA,CreateThread,WaitForMultipleObjects,6_2_00199780
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 7_2_004FE7F0 CryptAcquireContextA,srand,7_2_004FE7F0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 7_2_00509780 EntryPoint,CryptAcquireContextA,CreateThread,WaitForMultipleObjects,7_2_00509780

Exploits:

barindex
Connects to many different private IPs (likely to spread or exploit)Show sources
Source: global trafficTCP traffic: 192.168.1.186:139
Source: global trafficTCP traffic: 192.168.1.34:139
Source: global trafficTCP traffic: 192.168.1.223:139
Source: global trafficTCP traffic: 192.168.1.71:139
Source: global trafficTCP traffic: 192.168.1.136:139
Source: global trafficTCP traffic: 192.168.1.228:139
Source: global trafficTCP traffic: 192.168.1.22:139
Source: global trafficTCP traffic: 192.168.1.141:139
Source: global trafficTCP traffic: 192.168.1.111:139
Source: global trafficTCP traffic: 192.168.1.243:139
Source: global trafficTCP traffic: 192.168.1.53:139
Source: global trafficTCP traffic: 192.168.1.44:139
Source: global trafficTCP traffic: 192.168.1.185:139
Source: global trafficTCP traffic: 192.168.1.193:139
Source: global trafficTCP traffic: 192.168.1.177:139
Source: global trafficTCP traffic: 192.168.1.80:139
Source: global trafficTCP traffic: 192.168.1.181:139
Source: global trafficTCP traffic: 192.168.1.14:139
Source: global trafficTCP traffic: 192.168.1.78:139
Source: global trafficTCP traffic: 192.168.1.213:139
Source: global trafficTCP traffic: 192.168.1.45:139
Source: global trafficTCP traffic: 192.168.1.32:139
Source: global trafficTCP traffic: 192.168.1.11:139
Source: global trafficTCP traffic: 192.168.1.24:139
Source: global trafficTCP traffic: 192.168.1.160:139
Source: global trafficTCP traffic: 192.168.1.47:139
Source: global trafficTCP traffic: 192.168.1.120:139
Source: global trafficTCP traffic: 192.168.1.110:139
Source: global trafficTCP traffic: 192.168.1.252:139
Source: global trafficTCP traffic: 192.168.1.210:139
Source: global trafficTCP traffic: 192.168.1.37:139
Source: global trafficTCP traffic: 192.168.1.189:139
Source: global trafficTCP traffic: 192.168.1.207:139
Source: global trafficTCP traffic: 192.168.1.132:139
Source: global trafficTCP traffic: 192.168.1.203:139
Source: global trafficTCP traffic: 192.168.1.169:139
Source: global trafficTCP traffic: 192.168.1.137:139
Source: global trafficTCP traffic: 192.168.1.97:139
Source: global trafficTCP traffic: 192.168.1.72:139
Source: global trafficTCP traffic: 192.168.1.73:139
Source: global trafficTCP traffic: 192.168.1.167:139
Source: global trafficTCP traffic: 192.168.1.54:139
Source: global trafficTCP traffic: 192.168.1.225:139
Source: global trafficTCP traffic: 192.168.1.112:139
Source: global trafficTCP traffic: 192.168.1.56:139
Source: global trafficTCP traffic: 192.168.1.105:139
Source: global trafficTCP traffic: 192.168.1.6:139
Source: global trafficTCP traffic: 192.168.1.222:139
Source: global trafficTCP traffic: 192.168.1.46:139
Source: global trafficTCP traffic: 192.168.1.194:139
Source: global trafficTCP traffic: 192.168.1.230:139
Source: global trafficTCP traffic: 192.168.1.150:139
Source: global trafficTCP traffic: 192.168.1.216:139
Source: global trafficTCP traffic: 192.168.1.99:139
Source: global trafficTCP traffic: 192.168.1.102:139
Source: global trafficTCP traffic: 192.168.1.175:139
Source: global trafficTCP traffic: 192.168.1.114:139
Source: global trafficTCP traffic: 192.168.1.143:139
Source: global trafficTCP traffic: 192.168.1.12:139
Source: global trafficTCP traffic: 192.168.1.17:139
Source: global trafficTCP traffic: 192.168.1.156:139
Source: global trafficTCP traffic: 192.168.1.51:139
Source: global trafficTCP traffic: 192.168.1.201:139
Source: global trafficTCP traffic: 192.168.1.235:139
Source: global trafficTCP traffic: 192.168.1.144:139
Source: global trafficTCP traffic: 192.168.1.76:139
Source: global trafficTCP traffic: 192.168.1.91:139
Source: global trafficTCP traffic: 192.168.1.135:139
Source: global trafficTCP traffic: 192.168.1.142:139
Source: global trafficTCP traffic: 192.168.1.122:139
Source: global trafficTCP traffic: 192.168.1.29:139
Source: global trafficTCP traffic: 192.168.1.149:139
Source: global trafficTCP traffic: 192.168.1.25:139
Source: global trafficTCP traffic: 192.168.1.121:139
Source: global trafficTCP traffic: 192.168.1.188:139
Source: global trafficTCP traffic: 192.168.1.200:139
Source: global trafficTCP traffic: 192.168.1.204:139
Source: global trafficTCP traffic: 192.168.1.218:139
Source: global trafficTCP traffic: 192.168.1.174:139
Source: global trafficTCP traffic: 192.168.1.237:139
Source: global trafficTCP traffic: 192.168.1.129:139
Source: global trafficTCP traffic: 192.168.1.21:139
Source: global trafficTCP traffic: 192.168.1.196:139
Source: global trafficTCP traffic: 192.168.1.27:139
Source: global trafficTCP traffic: 192.168.1.232:139
Source: global trafficTCP traffic: 192.168.1.244:139
Source: global trafficTCP traffic: 192.168.1.195:139
Source: global trafficTCP traffic: 192.168.1.90:139
Source: global trafficTCP traffic: 192.168.1.176:139
Source: global trafficTCP traffic: 192.168.1.151:139
Source: global trafficTCP traffic: 192.168.1.16:139
Source: global trafficTCP traffic: 192.168.1.104:139
Source: global trafficTCP traffic: 192.168.1.115:139
Source: global trafficTCP traffic: 192.168.1.92:139
Source: global trafficTCP traffic: 192.168.1.75:139
Source: global trafficTCP traffic: 192.168.1.95:139
Source: global trafficTCP traffic: 192.168.1.215:139
Source: global trafficTCP traffic: 192.168.1.220:139
Source: global trafficTCP traffic: 192.168.1.184:139
Source: global trafficTCP traffic: 192.168.1.134:139
Source: global trafficTCP traffic: 192.168.1.7:139
Source: global trafficTCP traffic: 192.168.1.1:139
Source: global trafficTCP traffic: 192.168.1.161:139
Source: global trafficTCP traffic: 192.168.1.103:139
Source: global trafficTCP traffic: 192.168.1.8:139
Source: global trafficTCP traffic: 192.168.1.245:139
Source: global trafficTCP traffic: 192.168.1.192:139
Source: global trafficTCP traffic: 192.168.1.162:139
Source: global trafficTCP traffic: 192.168.1.251:139
Source: global trafficTCP traffic: 192.168.1.28:139
Source: global trafficTCP traffic: 192.168.1.168:139
Source: global trafficTCP traffic: 192.168.1.74:139
Source: global trafficTCP traffic: 192.168.1.98:139
Source: global trafficTCP traffic: 192.168.1.191:139
Source: global trafficTCP traffic: 192.168.1.198:139
Source: global trafficTCP traffic: 192.168.1.83:139
Source: global trafficTCP traffic: 192.168.1.31:139
Source: global trafficTCP traffic: 192.168.1.59:139
Source: global trafficTCP traffic: 192.168.1.233:139
Source: global trafficTCP traffic: 192.168.1.250:139
Source: global trafficTCP traffic: 192.168.1.157:139
Source: global trafficTCP traffic: 192.168.1.85:139
Source: global trafficTCP traffic: 192.168.1.166:139
Source: global trafficTCP traffic: 192.168.1.128:139
Source: global trafficTCP traffic: 192.168.1.127:139
Source: global trafficTCP traffic: 192.168.1.108:139
Source: global trafficTCP traffic: 192.168.1.106:139
Source: global trafficTCP traffic: 192.168.1.62:139
Source: global trafficTCP traffic: 192.168.1.249:139
Source: global trafficTCP traffic: 192.168.1.197:139
Source: global trafficTCP traffic: 192.168.1.147:139
Source: global trafficTCP traffic: 192.168.1.155:139
Source: global trafficTCP traffic: 192.168.1.146:139
Source: global trafficTCP traffic: 192.168.1.117:139
Source: global trafficTCP traffic: 192.168.1.63:139
Source: global trafficTCP traffic: 192.168.1.9:139
Source: global trafficTCP traffic: 192.168.1.154:139
Source: global trafficTCP traffic: 192.168.1.38:139
Source: global trafficTCP traffic: 192.168.1.64:139
Source: global trafficTCP traffic: 192.168.1.202:139
Source: global trafficTCP traffic: 192.168.1.87:139
Source: global trafficTCP traffic: 192.168.1.187:139
Source: global trafficTCP traffic: 192.168.1.23:139
Source: global trafficTCP traffic: 192.168.1.79:139
Source: global trafficTCP traffic: 192.168.1.163:139
Source: global trafficTCP traffic: 192.168.1.182:139
Source: global trafficTCP traffic: 192.168.1.41:139
Source: global trafficTCP traffic: 192.168.1.241:139
Source: global trafficTCP traffic: 192.168.1.205:139
Source: global trafficTCP traffic: 192.168.1.126:139
Source: global trafficTCP traffic: 192.168.1.39:139
Source: global trafficTCP traffic: 192.168.1.96:139
Source: global trafficTCP traffic: 192.168.1.57:139
Source: global trafficTCP traffic: 192.168.1.118:139
Source: global trafficTCP traffic: 192.168.1.4:139
Source: global trafficTCP traffic: 192.168.1.116:139
Source: global trafficTCP traffic: 192.168.1.221:139
Source: global trafficTCP traffic: 192.168.1.19:139
Source: global trafficTCP traffic: 192.168.1.206:139
Source: global trafficTCP traffic: 192.168.1.101:139
Source: global trafficTCP traffic: 192.168.1.30:139
Source: global trafficTCP traffic: 192.168.1.26:139
Source: global trafficTCP traffic: 192.168.1.68:139
Source: global trafficTCP traffic: 192.168.1.224:139
Source: global trafficTCP traffic: 192.168.1.138:139
Source: global trafficTCP traffic: 192.168.1.124:139
Source: global trafficTCP traffic: 192.168.1.42:139
Source: global trafficTCP traffic: 192.168.1.82:139
Source: global trafficTCP traffic: 192.168.1.171:139
Source: global trafficTCP traffic: 192.168.1.165:139
Source: global trafficTCP traffic: 192.168.1.190:139
Source: global trafficTCP traffic: 192.168.1.13:139
Source: global trafficTCP traffic: 192.168.1.3:139
Source: global trafficTCP traffic: 192.168.1.199:139
Source: global trafficTCP traffic: 192.168.1.2:139
Source: global trafficTCP traffic: 192.168.1.248:139
Source: global trafficTCP traffic: 192.168.1.148:139
Source: global trafficTCP traffic: 192.168.1.217:139
Source: global trafficTCP traffic: 192.168.1.242:139
Source: global trafficTCP traffic: 192.168.1.119:139
Source: global trafficTCP traffic: 192.168.1.70:139
Source: global trafficTCP traffic: 192.168.1.18:139
Source: global trafficTCP traffic: 192.168.1.60:139
Source: global trafficTCP traffic: 192.168.1.5:139
Source: global trafficTCP traffic: 192.168.1.69:139
Source: global trafficTCP traffic: 192.168.1.214:139
Source: global trafficTCP traffic: 192.168.1.208:139
Source: global trafficTCP traffic: 192.168.1.20:139
Source: global trafficTCP traffic: 192.168.1.170:139
Source: global trafficTCP traffic: 192.168.1.123:139
Source: global trafficTCP traffic: 192.168.1.109:139
Source: global trafficTCP traffic: 192.168.1.67:139
Source: global trafficTCP traffic: 192.168.1.65:139
Source: global trafficTCP traffic: 192.168.1.247:139
Source: global trafficTCP traffic: 192.168.1.66:139
Source: global trafficTCP traffic: 192.168.1.172:139
Source: global trafficTCP traffic: 192.168.1.179:139
Source: global trafficTCP traffic: 192.168.1.178:139
Source: global trafficTCP traffic: 192.168.1.130:139
Source: global trafficTCP traffic: 192.168.1.159:139
Source: global trafficTCP traffic: 192.168.1.240:139
Source: global trafficTCP traffic: 192.168.1.58:139
Source: global trafficTCP traffic: 192.168.1.246:139
Source: global trafficTCP traffic: 192.168.1.253:139
Source: global trafficTCP traffic: 192.168.1.211:139
Source: global trafficTCP traffic: 192.168.1.81:139
Source: global trafficTCP traffic: 192.168.1.43:139
Source: global trafficTCP traffic: 192.168.1.33:139
Source: global trafficTCP traffic: 192.168.1.93:139
Source: global trafficTCP traffic: 192.168.1.219:139
Source: global trafficTCP traffic: 192.168.1.234:139
Source: global trafficTCP traffic: 192.168.1.231:139
Source: global trafficTCP traffic: 192.168.1.153:139
Source: global trafficTCP traffic: 192.168.1.86:139
Source: global trafficTCP traffic: 192.168.1.183:139
Source: global trafficTCP traffic: 192.168.1.61:139
Source: global trafficTCP traffic: 192.168.1.107:139
Source: global trafficTCP traffic: 192.168.1.88:139
Source: global trafficTCP traffic: 192.168.1.133:139
Source: global trafficTCP traffic: 192.168.1.40:139
Source: global trafficTCP traffic: 192.168.1.15:139
Source: global trafficTCP traffic: 192.168.1.238:139
Source: global trafficTCP traffic: 192.168.1.10:139
Source: global trafficTCP traffic: 192.168.1.227:139
Source: global trafficTCP traffic: 192.168.1.239:139
Source: global trafficTCP traffic: 192.168.1.84:139
Source: global trafficTCP traffic: 192.168.1.36:139
Source: global trafficTCP traffic: 192.168.1.236:139
Source: global trafficTCP traffic: 192.168.1.226:139
Source: global trafficTCP traffic: 192.168.1.140:139
Source: global trafficTCP traffic: 192.168.1.152:139
Source: global trafficTCP traffic: 192.168.1.158:139
Source: global trafficTCP traffic: 192.168.1.55:139
Source: global trafficTCP traffic: 192.168.1.164:139
Source: global trafficTCP traffic: 192.168.1.212:139
Source: global trafficTCP traffic: 192.168.1.94:139
Source: global trafficTCP traffic: 192.168.1.100:139
Source: global trafficTCP traffic: 192.168.1.209:139
Source: global trafficTCP traffic: 192.168.1.131:139
Source: global trafficTCP traffic: 192.168.1.145:139
Source: global trafficTCP traffic: 192.168.1.113:139
Source: global trafficTCP traffic: 192.168.1.50:139
Source: global trafficTCP traffic: 192.168.1.125:139
Source: global trafficTCP traffic: 192.168.1.52:139
Source: global trafficTCP traffic: 192.168.1.173:139
Source: global trafficTCP traffic: 192.168.1.229:139
Source: global trafficTCP traffic: 192.168.1.139:139
Source: global trafficTCP traffic: 192.168.1.77:139
Source: global trafficTCP traffic: 192.168.1.254:139
Source: global trafficTCP traffic: 192.168.1.180:139
Source: global trafficTCP traffic: 192.168.1.35:139
Source: global trafficTCP traffic: 192.168.1.89:139
Source: global trafficTCP traffic: 192.168.1.49:139
Source: global trafficTCP traffic: 192.168.1.48:139
Connects to many different private IPs via SMB (likely to spread or exploit)Show sources
Source: global trafficTCP traffic: 192.168.1.186:139
Source: global trafficTCP traffic: 192.168.1.34:139
Source: global trafficTCP traffic: 192.168.1.223:139
Source: global trafficTCP traffic: 192.168.1.71:139
Source: global trafficTCP traffic: 192.168.1.136:139
Source: global trafficTCP traffic: 192.168.1.228:139
Source: global trafficTCP traffic: 192.168.1.22:139
Source: global trafficTCP traffic: 192.168.1.141:139
Source: global trafficTCP traffic: 192.168.1.111:139
Source: global trafficTCP traffic: 192.168.1.243:139
Source: global trafficTCP traffic: 192.168.1.53:139
Source: global trafficTCP traffic: 192.168.1.44:139
Source: global trafficTCP traffic: 192.168.1.185:139
Source: global trafficTCP traffic: 192.168.1.193:139
Source: global trafficTCP traffic: 192.168.1.177:139
Source: global trafficTCP traffic: 192.168.1.80:139
Source: global trafficTCP traffic: 192.168.1.181:139
Source: global trafficTCP traffic: 192.168.1.14:139
Source: global trafficTCP traffic: 192.168.1.78:139
Source: global trafficTCP traffic: 192.168.1.213:139
Source: global trafficTCP traffic: 192.168.1.45:139
Source: global trafficTCP traffic: 192.168.1.32:139
Source: global trafficTCP traffic: 192.168.1.11:139
Source: global trafficTCP traffic: 192.168.1.24:139
Source: global trafficTCP traffic: 192.168.1.160:139
Source: global trafficTCP traffic: 192.168.1.47:139
Source: global trafficTCP traffic: 192.168.1.120:139
Source: global trafficTCP traffic: 192.168.1.110:139
Source: global trafficTCP traffic: 192.168.1.252:139
Source: global trafficTCP traffic: 192.168.1.210:139
Source: global trafficTCP traffic: 192.168.1.37:139
Source: global trafficTCP traffic: 192.168.1.189:139
Source: global trafficTCP traffic: 192.168.1.207:139
Source: global trafficTCP traffic: 192.168.1.132:139
Source: global trafficTCP traffic: 192.168.1.203:139
Source: global trafficTCP traffic: 192.168.1.169:139
Source: global trafficTCP traffic: 192.168.1.137:139
Source: global trafficTCP traffic: 192.168.1.97:139
Source: global trafficTCP traffic: 192.168.1.72:139
Source: global trafficTCP traffic: 192.168.1.73:139
Source: global trafficTCP traffic: 192.168.1.167:139
Source: global trafficTCP traffic: 192.168.1.54:139
Source: global trafficTCP traffic: 192.168.1.225:139
Source: global trafficTCP traffic: 192.168.1.112:139
Source: global trafficTCP traffic: 192.168.1.56:139
Source: global trafficTCP traffic: 192.168.1.105:139
Source: global trafficTCP traffic: 192.168.1.6:139
Source: global trafficTCP traffic: 192.168.1.222:139
Source: global trafficTCP traffic: 192.168.1.46:139
Source: global trafficTCP traffic: 192.168.1.194:139
Source: global trafficTCP traffic: 192.168.1.230:139
Source: global trafficTCP traffic: 192.168.1.150:139
Source: global trafficTCP traffic: 192.168.1.216:139
Source: global trafficTCP traffic: 192.168.1.99:139
Source: global trafficTCP traffic: 192.168.1.102:139
Source: global trafficTCP traffic: 192.168.1.175:139
Source: global trafficTCP traffic: 192.168.1.114:139
Source: global trafficTCP traffic: 192.168.1.143:139
Source: global trafficTCP traffic: 192.168.1.12:139
Source: global trafficTCP traffic: 192.168.1.17:139
Source: global trafficTCP traffic: 192.168.1.156:139
Source: global trafficTCP traffic: 192.168.1.51:139
Source: global trafficTCP traffic: 192.168.1.201:139
Source: global trafficTCP traffic: 192.168.1.235:139
Source: global trafficTCP traffic: 192.168.1.144:139
Source: global trafficTCP traffic: 192.168.1.76:139
Source: global trafficTCP traffic: 192.168.1.91:139
Source: global trafficTCP traffic: 192.168.1.135:139
Source: global trafficTCP traffic: 192.168.1.142:139
Source: global trafficTCP traffic: 192.168.1.122:139
Source: global trafficTCP traffic: 192.168.1.29:139
Source: global trafficTCP traffic: 192.168.1.149:139
Source: global trafficTCP traffic: 192.168.1.25:139
Source: global trafficTCP traffic: 192.168.1.121:139
Source: global trafficTCP traffic: 192.168.1.188:139
Source: global trafficTCP traffic: 192.168.1.200:139
Source: global trafficTCP traffic: 192.168.1.204:139
Source: global trafficTCP traffic: 192.168.1.218:139
Source: global trafficTCP traffic: 192.168.1.174:139
Source: global trafficTCP traffic: 192.168.1.237:139
Source: global trafficTCP traffic: 192.168.1.129:139
Source: global trafficTCP traffic: 192.168.1.21:139
Source: global trafficTCP traffic: 192.168.1.196:139
Source: global trafficTCP traffic: 192.168.1.27:139
Source: global trafficTCP traffic: 192.168.1.232:139
Source: global trafficTCP traffic: 192.168.1.244:139
Source: global trafficTCP traffic: 192.168.1.195:139
Source: global trafficTCP traffic: 192.168.1.90:139
Source: global trafficTCP traffic: 192.168.1.176:139
Source: global trafficTCP traffic: 192.168.1.151:139
Source: global trafficTCP traffic: 192.168.1.16:139
Source: global trafficTCP traffic: 192.168.1.104:139
Source: global trafficTCP traffic: 192.168.1.115:139
Source: global trafficTCP traffic: 192.168.1.92:139
Source: global trafficTCP traffic: 192.168.1.75:139
Source: global trafficTCP traffic: 192.168.1.95:139
Source: global trafficTCP traffic: 192.168.1.215:139
Source: global trafficTCP traffic: 192.168.1.220:139
Source: global trafficTCP traffic: 192.168.1.184:139
Source: global trafficTCP traffic: 192.168.1.134:139
Source: global trafficTCP traffic: 192.168.1.7:139
Source: global trafficTCP traffic: 192.168.1.1:139
Source: global trafficTCP traffic: 192.168.1.161:139
Source: global trafficTCP traffic: 192.168.1.103:139
Source: global trafficTCP traffic: 192.168.1.8:139
Source: global trafficTCP traffic: 192.168.1.245:139
Source: global trafficTCP traffic: 192.168.1.192:139
Source: global trafficTCP traffic: 192.168.1.162:139
Source: global trafficTCP traffic: 192.168.1.251:139
Source: global trafficTCP traffic: 192.168.1.28:139
Source: global trafficTCP traffic: 192.168.1.168:139
Source: global trafficTCP traffic: 192.168.1.74:139
Source: global trafficTCP traffic: 192.168.1.98:139
Source: global trafficTCP traffic: 192.168.1.191:139
Source: global trafficTCP traffic: 192.168.1.198:139
Source: global trafficTCP traffic: 192.168.1.83:139
Source: global trafficTCP traffic: 192.168.1.31:139
Source: global trafficTCP traffic: 192.168.1.59:139
Source: global trafficTCP traffic: 192.168.1.233:139
Source: global trafficTCP traffic: 192.168.1.250:139
Source: global trafficTCP traffic: 192.168.1.157:139
Source: global trafficTCP traffic: 192.168.1.85:139
Source: global trafficTCP traffic: 192.168.1.166:139
Source: global trafficTCP traffic: 192.168.1.128:139
Source: global trafficTCP traffic: 192.168.1.127:139
Source: global trafficTCP traffic: 192.168.1.108:139
Source: global trafficTCP traffic: 192.168.1.106:139
Source: global trafficTCP traffic: 192.168.1.62:139
Source: global trafficTCP traffic: 192.168.1.249:139
Source: global trafficTCP traffic: 192.168.1.197:139
Source: global trafficTCP traffic: 192.168.1.147:139
Source: global trafficTCP traffic: 192.168.1.155:139
Source: global trafficTCP traffic: 192.168.1.146:139
Source: global trafficTCP traffic: 192.168.1.117:139
Source: global trafficTCP traffic: 192.168.1.63:139
Source: global trafficTCP traffic: 192.168.1.9:139
Source: global trafficTCP traffic: 192.168.1.154:139
Source: global trafficTCP traffic: 192.168.1.38:139
Source: global trafficTCP traffic: 192.168.1.64:139
Source: global trafficTCP traffic: 192.168.1.202:139
Source: global trafficTCP traffic: 192.168.1.87:139
Source: global trafficTCP traffic: 192.168.1.187:139
Source: global trafficTCP traffic: 192.168.1.23:139
Source: global trafficTCP traffic: 192.168.1.79:139
Source: global trafficTCP traffic: 192.168.1.163:139
Source: global trafficTCP traffic: 192.168.1.182:139
Source: global trafficTCP traffic: 192.168.1.41:139
Source: global trafficTCP traffic: 192.168.1.241:139
Source: global trafficTCP traffic: 192.168.1.205:139
Source: global trafficTCP traffic: 192.168.1.126:139
Source: global trafficTCP traffic: 192.168.1.39:139
Source: global trafficTCP traffic: 192.168.1.96:139
Source: global trafficTCP traffic: 192.168.1.57:139
Source: global trafficTCP traffic: 192.168.1.118:139
Source: global trafficTCP traffic: 192.168.1.4:139
Source: global trafficTCP traffic: 192.168.1.116:139
Source: global trafficTCP traffic: 192.168.1.221:139
Source: global trafficTCP traffic: 192.168.1.19:139
Source: global trafficTCP traffic: 192.168.1.206:139
Source: global trafficTCP traffic: 192.168.1.101:139
Source: global trafficTCP traffic: 192.168.1.30:139
Source: global trafficTCP traffic: 192.168.1.26:139
Source: global trafficTCP traffic: 192.168.1.68:139
Source: global trafficTCP traffic: 192.168.1.224:139
Source: global trafficTCP traffic: 192.168.1.138:139
Source: global trafficTCP traffic: 192.168.1.124:139
Source: global trafficTCP traffic: 192.168.1.42:139
Source: global trafficTCP traffic: 192.168.1.82:139
Source: global trafficTCP traffic: 192.168.1.171:139
Source: global trafficTCP traffic: 192.168.1.165:139
Source: global trafficTCP traffic: 192.168.1.190:139
Source: global trafficTCP traffic: 192.168.1.13:139
Source: global trafficTCP traffic: 192.168.1.3:139
Source: global trafficTCP traffic: 192.168.1.199:139
Source: global trafficTCP traffic: 192.168.1.2:139
Source: global trafficTCP traffic: 192.168.1.248:139
Source: global trafficTCP traffic: 192.168.1.148:139
Source: global trafficTCP traffic: 192.168.1.217:139
Source: global trafficTCP traffic: 192.168.1.242:139
Source: global trafficTCP traffic: 192.168.1.119:139
Source: global trafficTCP traffic: 192.168.1.70:139
Source: global trafficTCP traffic: 192.168.1.18:139
Source: global trafficTCP traffic: 192.168.1.60:139
Source: global trafficTCP traffic: 192.168.1.5:139
Source: global trafficTCP traffic: 192.168.1.69:139
Source: global trafficTCP traffic: 192.168.1.214:139
Source: global trafficTCP traffic: 192.168.1.208:139
Source: global trafficTCP traffic: 192.168.1.20:139
Source: global trafficTCP traffic: 192.168.1.170:139
Source: global trafficTCP traffic: 192.168.1.123:139
Source: global trafficTCP traffic: 192.168.1.109:139
Source: global trafficTCP traffic: 192.168.1.67:139
Source: global trafficTCP traffic: 192.168.1.65:139
Source: global trafficTCP traffic: 192.168.1.247:139
Source: global trafficTCP traffic: 192.168.1.66:139
Source: global trafficTCP traffic: 192.168.1.172:139
Source: global trafficTCP traffic: 192.168.1.179:139
Source: global trafficTCP traffic: 192.168.1.178:139
Source: global trafficTCP traffic: 192.168.1.130:139
Source: global trafficTCP traffic: 192.168.1.159:139
Source: global trafficTCP traffic: 192.168.1.240:139
Source: global trafficTCP traffic: 192.168.1.58:139
Source: global trafficTCP traffic: 192.168.1.246:139
Source: global trafficTCP traffic: 192.168.1.253:139
Source: global trafficTCP traffic: 192.168.1.211:139
Source: global trafficTCP traffic: 192.168.1.81:139
Source: global trafficTCP traffic: 192.168.1.43:139
Source: global trafficTCP traffic: 192.168.1.33:139
Source: global trafficTCP traffic: 192.168.1.93:139
Source: global trafficTCP traffic: 192.168.1.219:139
Source: global trafficTCP traffic: 192.168.1.234:139
Source: global trafficTCP traffic: 192.168.1.231:139
Source: global trafficTCP traffic: 192.168.1.153:139
Source: global trafficTCP traffic: 192.168.1.86:139
Source: global trafficTCP traffic: 192.168.1.183:139
Source: global trafficTCP traffic: 192.168.1.61:139
Source: global trafficTCP traffic: 192.168.1.107:139
Source: global trafficTCP traffic: 192.168.1.88:139
Source: global trafficTCP traffic: 192.168.1.133:139
Source: global trafficTCP traffic: 192.168.1.40:139
Source: global trafficTCP traffic: 192.168.1.15:139
Source: global trafficTCP traffic: 192.168.1.238:139
Source: global trafficTCP traffic: 192.168.1.10:139
Source: global trafficTCP traffic: 192.168.1.227:139
Source: global trafficTCP traffic: 192.168.1.239:139
Source: global trafficTCP traffic: 192.168.1.84:139
Source: global trafficTCP traffic: 192.168.1.36:139
Source: global trafficTCP traffic: 192.168.1.236:139
Source: global trafficTCP traffic: 192.168.1.226:139
Source: global trafficTCP traffic: 192.168.1.140:139
Source: global trafficTCP traffic: 192.168.1.152:139
Source: global trafficTCP traffic: 192.168.1.158:139
Source: global trafficTCP traffic: 192.168.1.55:139
Source: global trafficTCP traffic: 192.168.1.164:139
Source: global trafficTCP traffic: 192.168.1.212:139
Source: global trafficTCP traffic: 192.168.1.94:139
Source: global trafficTCP traffic: 192.168.1.100:139
Source: global trafficTCP traffic: 192.168.1.209:139
Source: global trafficTCP traffic: 192.168.1.131:139
Source: global trafficTCP traffic: 192.168.1.145:139
Source: global trafficTCP traffic: 192.168.1.113:139
Source: global trafficTCP traffic: 192.168.1.50:139
Source: global trafficTCP traffic: 192.168.1.125:139
Source: global trafficTCP traffic: 192.168.1.52:139
Source: global trafficTCP traffic: 192.168.1.173:139
Source: global trafficTCP traffic: 192.168.1.229:139
Source: global trafficTCP traffic: 192.168.1.139:139
Source: global trafficTCP traffic: 192.168.1.77:139
Source: global trafficTCP traffic: 192.168.1.254:139
Source: global trafficTCP traffic: 192.168.1.180:139
Source: global trafficTCP traffic: 192.168.1.35:139
Source: global trafficTCP traffic: 192.168.1.89:139
Source: global trafficTCP traffic: 192.168.1.49:139
Source: global trafficTCP traffic: 192.168.1.48:139

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficUDP traffic: 192.168.1.13:54081 -> 239.255.255.250:3702
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: ipinfo.io
Source: unknownDNS query: name: ipinfo.io
Source: unknownDNS query: name: ipinfo.io
Source: unknownDNS query: name: ipinfo.io
Source: unknownDNS query: name: ipinfo.io
Source: unknownDNS query: name: ipinfo.io
Source: unknownDNS query: name: ipinfo.io
Source: unknownDNS query: name: ipinfo.io
Source: unknownDNS query: name: ipinfo.io
Source: unknownDNS query: name: ipinfo.io
Source: unknownDNS query: name: ipinfo.io
Source: unknownDNS query: name: ipinfo.io
Source: unknownDNS query: name: ipinfo.io
Source: unknownDNS query: name: ipinfo.io
Found strings which match to known social media urlsShow sources
Source: GAygkOwh9t.exe, 00000004.00000002.16949936075.000000003CCDE000.00000004.sdmp, msiexec.exe, 00000006.00000002.17412988073.00000000113FB000.00000004.sdmpString found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: GAygkOwh9t.exe, 00000004.00000002.16949936075.000000003CCDE000.00000004.sdmp, msiexec.exe, 00000006.00000002.17413219534.0000000011472000.00000004.sdmpString found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: GAygkOwh9t.exe, 00000004.00000002.16949936075.000000003CCDE000.00000004.sdmp, msiexec.exe, 00000006.00000002.17412988073.00000000113FB000.00000004.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: ipinfo.io
Urls found in memory or binary dataShow sources
Source: msiexec.exe, 00000005.00000002.16983013988.000000000B440000.00000004.sdmpString found in binary or memory: http://
Source: GAygkOwh9t.exe, 00000004.00000003.16897611005.000000003CE5C000.00000004.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
Source: GAygkOwh9t.exe, 00000004.00000003.16897611005.000000003CE5C000.00000004.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
Source: GAygkOwh9t.exe, 00000004.00000002.16933924379.00000000279F0000.00000004.sdmp, GAygkOwh9t.exe, 00000004.00000002.16949936075.000000003CCDE000.00000004.sdmp, GAygkOwh9t.exe, 00000004.00000003.16899152606.0000000027AA2000.00000004.sdmp, GAygkOwh9t.exe, 00000004.00000002.16951142343.000000003CD3E000.00000004.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: GAygkOwh9t.exe, 00000004.00000002.16933924379.00000000279F0000.00000004.sdmp, msiexec.exe, 00000005.00000002.16983013988.000000000B440000.00000004.sdmp, msiexec.exe, 00000006.00000002.17412825821.00000000113B0000.00000004.sdmp, msiexec.exe, 00000007.00000002.17433986230.00000000099F0000.00000004.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: msiexec.exe, 00000006.00000002.17412988073.00000000113FB000.00000004.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0x
Source: msiexec.exe, 00000005.00000002.16983013988.000000000B440000.00000004.sdmpString found in binary or memory: http://apps.identrust.com/roots/mb
Source: msiexec.exe, 00000005.00000002.16983013988.000000000B440000.00000004.sdmpString found in binary or memory: http://ce
Source: msiexec.exe, 00000006.00000002.17412988073.00000000113FB000.00000004.sdmpString found in binary or memory: http://cert.in
Source: GAygkOwh9t.exe, 00000004.00000002.16933924379.00000000279F0000.00000004.sdmp, msiexec.exe, 00000005.00000002.16983013988.000000000B440000.00000004.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
Source: msiexec.exe, 00000006.00000002.17413219534.0000000011472000.00000004.sdmpString found in binary or memory: http://ch
Source: GAygkOwh9t.exe, 00000004.00000002.16933924379.00000000279F0000.00000004.sdmp, msiexec.exe, 00000005.00000002.16983013988.000000000B440000.00000004.sdmp, msiexec.exe, 00000006.00000002.17412988073.00000000113FB000.00000004.sdmpString found in binary or memory: http://cps.letsencrypt.org0
Source: GAygkOwh9t.exe, 00000004.00000002.16933924379.00000000279F0000.00000004.sdmp, msiexec.exe, 00000005.00000002.16983013988.000000000B440000.00000004.sdmp, msiexec.exe, 00000006.00000002.17412825821.00000000113B0000.00000004.sdmp, msiexec.exe, 00000007.00000002.17433986230.00000000099F0000.00000004.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: GAygkOwh9t.exe, 00000004.00000002.16949936075.000000003CCDE000.00000004.sdmp, msiexec.exe, 00000005.00000002.16983013988.000000000B440000.00000004.sdmp, msiexec.exe, 00000006.00000002.17413219534.0000000011472000.00000004.sdmpString found in binary or memory: http://crl.comodo.net/UTN-USERFirst-Hardware.crl0q
Source: GAygkOwh9t.exe, 00000004.00000002.16949936075.000000003CCDE000.00000004.sdmp, msiexec.exe, 00000005.00000002.16983013988.000000000B440000.00000004.sdmp, msiexec.exe, 00000006.00000002.17413219534.0000000011472000.00000004.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: GAygkOwh9t.exe, 00000004.00000002.16949936075.000000003CCDE000.00000004.sdmp, msiexec.exe, 00000006.00000002.17412988073.00000000113FB000.00000004.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: GAygkOwh9t.exe, 00000004.00000002.16949936075.000000003CCDE000.00000004.sdmp, msiexec.exe, 00000005.00000002.16983013988.000000000B440000.00000004.sdmp, msiexec.exe, 00000006.00000002.17413219534.0000000011472000.00000004.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: GAygkOwh9t.exe, 00000004.00000002.16949936075.000000003CCDE000.00000004.sdmp, msiexec.exe, 00000006.00000002.17413219534.0000000011472000.00000004.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: GAygkOwh9t.exe, 00000004.00000002.16933924379.00000000279F0000.00000004.sdmp, GAygkOwh9t.exe, 00000004.00000002.16957936632.000000003CE22000.00000004.sdmp, GAygkOwh9t.exe, 00000004.00000003.16899152606.0000000027AA2000.00000004.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl
Source: GAygkOwh9t.exe, 00000004.00000002.16933924379.00000000279F0000.00000004.sdmp, msiexec.exe, 00000005.00000002.16983013988.000000000B440000.00000004.sdmp, msiexec.exe, 00000006.00000002.17412825821.00000000113B0000.00000004.sdmp, msiexec.exe, 00000007.00000002.17433986230.00000000099F0000.00000004.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: GAygkOwh9t.exe, 00000004.00000002.16933924379.00000000279F0000.00000004.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crlG
Source: GAygkOwh9t.exe, 00000004.00000002.16956288117.000000003CDED000.00000004.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crlot
Source: GAygkOwh9t.exe, 00000004.00000002.16957936632.000000003CE22000.00000004.sdmpString found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: GAygkOwh9t.exe, 00000004.00000002.16933924379.00000000279F0000.00000004.sdmpString found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
Source: GAygkOwh9t.exe, 00000004.00000003.16897924297.000000003CE1A000.00000004.sdmpString found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: GAygkOwh9t.exe, 00000004.00000002.16949936075.000000003CCDE000.00000004.sdmp, msiexec.exe, 00000006.00000002.17412988073.00000000113FB000.00000004.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: GAygkOwh9t.exe, 00000004.00000002.16949936075.000000003CCDE000.00000004.sdmp, msiexec.exe, 00000005.00000002.16983013988.000000000B440000.00000004.sdmp, msiexec.exe, 00000006.00000002.17413219534.0000000011472000.00000004.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: GAygkOwh9t.exe, 00000004.00000003.16897924297.000000003CE1A000.00000004.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: GAygkOwh9t.exe, 00000004.00000003.16897924297.000000003CE1A000.00000004.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: GAygkOwh9t.exe, 00000004.00000003.16897924297.000000003CE1A000.00000004.sdmpString found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: GAygkOwh9t.exe, 00000004.00000003.16897924297.000000003CE1A000.00000004.sdmpString found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: GAygkOwh9t.exe, 00000004.00000003.16898769649.000000003CDB3000.00000004.sdmpString found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
Source: GAygkOwh9t.exe, 00000004.00000002.16949936075.000000003CCDE000.00000004.sdmp, msiexec.exe, 00000005.00000002.16983013988.000000000B440000.00000004.sdmp, msiexec.exe, 00000006.00000002.17413219534.0000000011472000.00000004.sdmpString found in binary or memory: http://crt.comodoca.com/UTNAddTrustServerCA.crt0$
Source: msiexec.exe, 00000006.00000002.17413219534.0000000011472000.00000004.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownloa
Source: GAygkOwh9t.exe, 00000004.00000002.16933924379.00000000279F0000.00000004.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: GAygkOwh9t.exe, 00000004.00000002.16933924379.00000000279F0000.00000004.sdmp, GAygkOwh9t.exe, 00000004.00000003.16899152606.0000000027AA2000.00000004.sdmp, GAygkOwh9t.exe, 00000004.00000002.16951142343.000000003CD3E000.00000004.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: GAygkOwh9t.exe, 00000004.00000002.16933924379.00000000279F0000.00000004.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?21fd71ee3b624
Source: GAygkOwh9t.exe, 00000004.00000002.16933924379.00000000279F0000.00000004.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabO41-K
Source: GAygkOwh9t.exe, 00000004.00000002.16933924379.00000000279F0000.00000004.sdmp, GAygkOwh9t.exe, 00000004.00000002.16949936075.000000003CCDE000.00000004.sdmp, GAygkOwh9t.exe, 00000004.00000003.16897924297.000000003CE1A000.00000004.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: GAygkOwh9t.exe, 00000004.00000002.16933924379.00000000279F0000.00000004.sdmp, GAygkOwh9t.exe, 00000004.00000002.16957936632.000000003CE22000.00000004.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?2aaa123
Source: GAygkOwh9t.exe, 00000004.00000003.16898139248.000000003CCDE000.00000004.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cabS
Source: GAygkOwh9t.exe, 00000004.00000002.16949936075.000000003CCDE000.00000004.sdmp, msiexec.exe, 00000005.00000002.16983013988.000000000B440000.00000004.sdmp, msiexec.exe, 00000006.00000002.17412988073.00000000113FB000.00000004.sdmpString found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: GAygkOwh9t.exe, 00000004.00000002.16933924379.00000000279F0000.00000004.sdmp, GAygkOwh9t.exe, 00000004.00000002.16957936632.000000003CE22000.00000004.sdmp, GAygkOwh9t.exe, 00000004.00000003.16900005344.0000000027ABD000.00000004.sdmp, GAygkOwh9t.exe, 00000004.00000002.16951142343.000000003CD3E000.00000004.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUx
Source: GAygkOwh9t.exe, 00000004.00000002.16933924379.00000000279F0000.00000004.sdmp, msiexec.exe, 00000005.00000002.16983013988.000000000B440000.00000004.sdmp, msiexec.exe, 00000006.00000002.17412825821.00000000113B0000.00000004.sdmp, msiexec.exe, 00000007.00000002.17433986230.00000000099F0000.00000004.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: GAygkOwh9t.exe, 00000004.00000003.16898769649.000000003CDB3000.00000004.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com1.3.6.1.5.5.7.48.2http://apps.identrust.com/roots/dstrootcax3.
Source: msiexec.exe, 00000006.00000002.17412988073.00000000113FB000.00000004.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.comhttp://crl.identrust.com/DSTROOTCAX3CRL.crl
Source: GAygkOwh9t.exe, 00000004.00000002.16949936075.000000003CCDE000.00000004.sdmp, msiexec.exe, 00000006.00000002.17413219534.0000000011472000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: GAygkOwh9t.exe, 00000004.00000002.16949936075.000000003CCDE000.00000004.sdmp, msiexec.exe, 00000005.00000002.16983013988.000000000B440000.00000004.sdmp, msiexec.exe, 00000006.00000002.17412988073.00000000113FB000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: GAygkOwh9t.exe, 00000004.00000002.16949936075.000000003CCDE000.00000004.sdmp, msiexec.exe, 00000006.00000002.17412988073.00000000113FB000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: GAygkOwh9t.exe, 00000004.00000002.16949936075.000000003CCDE000.00000004.sdmp, msiexec.exe, 00000005.00000002.16983013988.000000000B440000.00000004.sdmp, msiexec.exe, 00000006.00000002.17412988073.00000000113FB000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: GAygkOwh9t.exe, 00000004.00000002.16949936075.000000003CCDE000.00000004.sdmp, msiexec.exe, 00000005.00000002.16983013988.000000000B440000.00000004.sdmp, msiexec.exe, 00000006.00000002.17412988073.00000000113FB000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: GAygkOwh9t.exe, 00000004.00000002.16949936075.000000003CCDE000.00000004.sdmp, msiexec.exe, 00000005.00000002.16983013988.000000000B440000.00000004.sdmp, msiexec.exe, 00000006.00000002.17413219534.0000000011472000.00000004.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: GAygkOwh9t.exe, 00000004.00000002.16949936075.000000003CCDE000.00000004.sdmp, msiexec.exe, 00000006.00000002.17412988073.00000000113FB000.00000004.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: GAygkOwh9t.exe, 00000004.00000002.16933924379.00000000279F0000.00000004.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org
Source: GAygkOwh9t.exe, 00000004.00000002.16949936075.000000003CCDE000.00000004.sdmp, GAygkOwh9t.exe, 00000004.00000003.16898139248.000000003CCDE000.00000004.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUq
Source: GAygkOwh9t.exe, 00000004.00000002.16933924379.00000000279F0000.00000004.sdmp, msiexec.exe, 00000005.00000002.16983013988.000000000B440000.00000004.sdmp, msiexec.exe, 00000006.00000002.17412988073.00000000113FB000.00000004.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: msiexec.exe, 00000006.00000002.17413219534.0000000011472000.00000004.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org~
Source: GAygkOwh9t.exe, 00000004.00000002.16957936632.000000003CE22000.00000004.sdmpString found in binary or memory: http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
Source: GAygkOwh9t.exe, 00000004.00000003.16897924297.000000003CE1A000.00000004.sdmpString found in binary or memory: http://repository.swisssign.com/0
Source: GAygkOwh9t.exe, 00000004.00000003.16897924297.000000003CE1A000.00000004.sdmpString found in binary or memory: http://users.ocsp.d-trust.net03
Source: msiexec.exe, 00000006.00000002.17413219534.0000000011472000.00000004.sdmpString found in binary or memory: http://www
Source: GAygkOwh9t.exe, 00000004.00000003.16897924297.000000003CE1A000.00000004.sdmpString found in binary or memory: http://www.acabogacia.org/doc0
Source: GAygkOwh9t.exe, 00000004.00000003.16897924297.000000003CE1A000.00000004.sdmpString found in binary or memory: http://www.acabogacia.org0
Source: GAygkOwh9t.exe, 00000004.00000003.16897924297.000000003CE1A000.00000004.sdmpString found in binary or memory: http://www.ancert.com/cps0
Source: GAygkOwh9t.exe, 00000004.00000002.16933924379.00000000279F0000.00000004.sdmpString found in binary or memory: http://www.certifikat.dk/repository0
Source: GAygkOwh9t.exe, 00000004.00000003.16897924297.000000003CE1A000.00000004.sdmpString found in binary or memory: http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0
Source: GAygkOwh9t.exe, 00000004.00000003.16897924297.000000003CE1A000.00000004.sdmpString found in binary or memory: http://www.d-trust.net0
Source: GAygkOwh9t.exe, 00000004.00000002.16949936075.000000003CCDE000.00000004.sdmp, msiexec.exe, 00000006.00000002.17412988073.00000000113FB000.00000004.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: GAygkOwh9t.exe, 00000004.00000002.16949936075.000000003CCDE000.00000004.sdmp, msiexec.exe, 00000005.00000002.16983013988.000000000B440000.00000004.sdmp, msiexec.exe, 00000006.00000002.17413219534.0000000011472000.00000004.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: GAygkOwh9t.exe, 00000004.00000002.16957936632.000000003CE22000.00000004.sdmpString found in binary or memory: http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01
Source: GAygkOwh9t.exe, 00000004.00000003.16897924297.000000003CE1A000.00000004.sdmpString found in binary or memory: http://www.e-me.lv/repository0
Source: GAygkOwh9t.exe, 00000004.00000002.16956288117.000000003CDED000.00000004.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: GAygkOwh9t.exe, 00000004.00000002.16956288117.000000003CDED000.00000004.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: GAygkOwh9t.exe, 00000004.00000002.16956288117.000000003CDED000.00000004.sdmpString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: GAygkOwh9t.exe, 00000004.00000002.16957936632.000000003CE22000.00000004.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: GAygkOwh9t.exe, 00000004.00000003.16898769649.000000003CDB3000.00000004.sdmpString found in binary or memory: http://www.entrust.net/CRL/Client1.crl0
Source: msiexec.exe, 00000006.00000002.17413219534.0000000011472000.00000004.sdmpString found in binary or memory: http://www.mi
Source: GAygkOwh9t.exe, 00000004.00000002.16957936632.000000003CE22000.00000004.sdmp, GAygkOwh9t.exe, 00000004.00000003.16898769649.000000003CDB3000.00000004.sdmpString found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
Source: GAygkOwh9t.exe, 00000004.00000002.16949936075.000000003CCDE000.00000004.sdmp, msiexec.exe, 00000005.00000002.16983013988.000000000B440000.00000004.sdmp, msiexec.exe, 00000006.00000002.17413219534.0000000011472000.00000004.sdmpString found in binary or memory: http://www.public-trust.com/CPS/OmniRoot.html0
Source: GAygkOwh9t.exe, 00000004.00000002.16949936075.000000003CCDE000.00000004.sdmp, msiexec.exe, 00000005.00000002.16983013988.000000000B440000.00000004.sdmp, msiexec.exe, 00000006.00000002.17413219534.0000000011472000.00000004.sdmpString found in binary or memory: http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl0
Source: GAygkOwh9t.exe, 00000004.00000003.16897924297.000000003CE1A000.00000004.sdmpString found in binary or memory: http://www.ssc.lt/cps03
Source: GAygkOwh9t.exe, 00000004.00000003.16897924297.000000003CE1A000.00000004.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
Source: GAygkOwh9t.exe, 00000004.00000003.16897924297.000000003CE1A000.00000004.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: GAygkOwh9t.exe, 00000004.00000002.16949936075.000000003CCDE000.00000004.sdmp, msiexec.exe, 00000005.00000002.16983013988.000000000B440000.00000004.sdmp, msiexec.exe, 00000006.00000002.17413219534.0000000011472000.00000004.sdmpString found in binary or memory: http://www.usertrust.com1
Source: GAygkOwh9t.exe, 00000004.00000002.16949936075.000000003CCDE000.00000004.sdmpString found in binary or memory: http://www.valicert.com/1
Source: GAygkOwh9t.exe, 00000004.00000003.16898769649.000000003CDB3000.00000004.sdmpString found in binary or memory: http://www.wellsfargo.com/certpolicy0
Source: GAygkOwh9t.exe, 00000004.00000003.16898479526.000000003CD31000.00000004.sdmpString found in binary or memory: http://www2.public-trust.com/crl/ct/ctroot.crl0
Source: GAygkOwh9t.exe, 00000004.00000002.16956288117.000000003CDED000.00000004.sdmpString found in binary or memory: https://216.239.38.21/3v2-K
Source: GAygkOwh9t.exe, 00000004.00000002.16956288117.000000003CDED000.00000004.sdmpString found in binary or memory: https://216.239.38.21/7v2-K
Source: GAygkOwh9t.exe, 00000004.00000002.16906687970.0000000000757000.00000004.sdmp, msiexec.exe, 00000006.00000002.17398564898.0000000001ED7000.00000004.sdmp, msiexec.exe, 00000006.00000002.17412988073.00000000113FB000.00000004.sdmp, msiexec.exe, 00000007.00000002.17422929041.0000000001FF7000.00000004.sdmp, msiexec.exe, 0000000A.00000003.17211891165.0000000003477000.00000004.sdmp, ==READ==THIS==PLEASE==4DE0B309.txt211.10.drString found in binary or memory: https://bitmsg.me/):
Source: msiexec.exe, 00000005.00000002.16949401019.00000000001BE000.00000004.sdmp, msiexec.exe, 00000006.00000002.17412988073.00000000113FB000.00000004.sdmpString found in binary or memory: https://ipinfo.io/
Source: msiexec.exe, 00000005.00000002.16949401019.00000000001BE000.00000004.sdmpString found in binary or memory: https://ipinfo.io/)_
Source: msiexec.exe, 00000005.00000002.16949401019.00000000001BE000.00000004.sdmpString found in binary or memory: https://ipinfo.io/9_
Source: GAygkOwh9t.exe, 00000004.00000002.16933924379.00000000279F0000.00000004.sdmpString found in binary or memory: https://ipinfo.io/h4
Source: GAygkOwh9t.exe, 00000004.00000002.16933924379.00000000279F0000.00000004.sdmpString found in binary or memory: https://ipinfo.io/i
Source: msiexec.exe, 00000005.00000002.16983013988.000000000B440000.00000004.sdmp, msiexec.exe, 00000005.00000002.16949401019.00000000001BE000.00000004.sdmp, msiexec.exe, 00000006.00000002.17412988073.00000000113FB000.00000004.sdmpString found in binary or memory: https://letsencrypt.org/repository/0
Source: GAygkOwh9t.exe, 00000004.00000002.16956288117.000000003CDED000.00000004.sdmpString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: GAygkOwh9t.exe, 00000004.00000002.16949936075.000000003CCDE000.00000004.sdmp, msiexec.exe, 00000005.00000002.16983013988.000000000B440000.00000004.sdmp, msiexec.exe, 00000006.00000002.17413219534.0000000011472000.00000004.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: GAygkOwh9t.exe, 00000004.00000003.16897924297.000000003CE1A000.00000004.sdmpString found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
Source: GAygkOwh9t.exe, 00000004.00000003.16897924297.000000003CE1A000.00000004.sdmpString found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E
Source: GAygkOwh9t.exe, 00000004.00000003.16898769649.000000003CDB3000.00000004.sdmpString found in binary or memory: https://www.netlock.net/docs
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49189
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49206
Source: unknownNetwork traffic detected: HTTP traffic on port 49190 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49236
Source: unknownNetwork traffic detected: HTTP traffic on port 49213 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49193 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49208
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49205
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49234
Source: unknownNetwork traffic detected: HTTP traffic on port 49202 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49199
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49235
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49213
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49202
Source: unknownNetwork traffic detected: HTTP traffic on port 49211 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49192 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49233
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49211
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49215
Source: unknownNetwork traffic detected: HTTP traffic on port 49209 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49210
Source: unknownNetwork traffic detected: HTTP traffic on port 49226 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49217
Source: unknownNetwork traffic detected: HTTP traffic on port 49236 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49234 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49207 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49192
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49214
Source: unknownNetwork traffic detected: HTTP traffic on port 49218 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49207
Source: unknownNetwork traffic detected: HTTP traffic on port 49224 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49214 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49194 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49219 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49209
Source: unknownNetwork traffic detected: HTTP traffic on port 49205 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49194
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49198
Source: unknownNetwork traffic detected: HTTP traffic on port 49189 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49201 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49225
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49226
Source: unknownNetwork traffic detected: HTTP traffic on port 49188 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49200
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49188
Source: unknownNetwork traffic detected: HTTP traffic on port 49237 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49197 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49193
Source: unknownNetwork traffic detected: HTTP traffic on port 49199 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49216 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49233 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49204
Source: unknownNetwork traffic detected: HTTP traffic on port 49191 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49217 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49216
Source: unknownNetwork traffic detected: HTTP traffic on port 49210 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49195 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49218
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49190
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49224
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49196
Source: unknownNetwork traffic detected: HTTP traffic on port 49208 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49198 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49197
Source: unknownNetwork traffic detected: HTTP traffic on port 49196 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49225 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49235 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49212 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49206 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49204 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49219
Source: unknownNetwork traffic detected: HTTP traffic on port 49215 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49212
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49195
Source: unknownNetwork traffic detected: HTTP traffic on port 49200 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49191
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49237
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49201
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49227
Source: unknownNetwork traffic detected: HTTP traffic on port 49227 -> 443

Boot Survival:

barindex
Creates autostart registry keys with suspicious namesShow sources
Source: C:\Windows\System32\msiexec.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run notepad-2018-5-11-14-13-31-839
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run notepad-2018-5-11-14-13-21-995Jump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run notepad-2018-5-11-14-14-10-28Jump to behavior
Creates multiple autostart registry keysShow sources
Source: C:\Windows\System32\msiexec.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run notepad-2018-5-11-14-13-31-839
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run notepad-2018-5-11-14-13-21-995Jump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run notepad-2018-5-11-14-14-10-28Jump to behavior
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_000000010000E108 StartServiceCtrlDispatcherW,GetLastError,5_2_000000010000E108
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run notepad-2018-5-11-14-13-21-995Jump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run notepad-2018-5-11-14-13-21-995Jump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run notepad-2018-5-11-14-14-10-28Jump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run notepad-2018-5-11-14-14-10-28Jump to behavior
Source: C:\Windows\System32\msiexec.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run notepad-2018-5-11-14-13-31-839
Source: C:\Windows\System32\msiexec.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run notepad-2018-5-11-14-13-31-839

Remote Access Functionality:

barindex
Contains strings which may be related to BOT commandsShow sources
Source: GAygkOwh9t.exe, 00000004.00000002.16906687970.0000000000757000.00000004.sdmpString found in binary or memory: ==READ==THIS==PLEASE==2DD10DD9.txt
Source: msiexec.exe, 00000006.00000002.17398062824.0000000000730000.00000002.sdmpString found in binary or memory: ==READ==THIS==PLEASE==4DE0B309.txt - Notepad
Source: msiexec.exe, 00000006.00000002.17398564898.0000000001ED7000.00000004.sdmpString found in binary or memory: ==READ==THIS==PLEASE==054ADB54.txt
Source: msiexec.exe, 00000007.00000002.17422929041.0000000001FF7000.00000004.sdmpString found in binary or memory: ==READ==THIS==PLEASE==0E037E45.txt
Source: msiexec.exe, 00000007.00000002.17422140491.00000000006E0000.00000002.sdmpString found in binary or memory: ==READ==THIS==PLEASE==4DE0B309.txt - Notepad
Source: msiexec.exe, 0000000A.00000003.17211891165.0000000003477000.00000004.sdmpString found in binary or memory: ==READ==THIS==PLEASE==4DE0B309.txtb

Stealing of Sensitive Information:

barindex
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\AppData\Roaming\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data.FYnIKNaxjF
Source: C:\Users\user\AppData\Roaming\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal.qTgkoPUfaM
Source: C:\Windows\System32\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
Source: C:\Windows\System32\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Searches for user specific document filesShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeDirectory queried: C:\Users\Public\DocumentsJump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeDirectory queried: C:\Users\Public\DocumentsJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\Public\DocumentsJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\Public\DocumentsJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAHJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAHJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIUJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIUJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFLJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAVJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVTJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\Public\Documents
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\Public\Documents
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIU
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIU
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\Public\Documents
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\Public\Documents
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIU
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIU
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\Public\Documents
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\Public\Documents
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIU
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIU
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Windows\System32\msiexec.exeDirectory queried: C:\Users\Public\Documents
Source: C:\Windows\System32\msiexec.exeDirectory queried: C:\Users\Public\Documents
Source: C:\Windows\System32\msiexec.exeDirectory queried: C:\Users\user\Documents
Source: C:\Windows\System32\msiexec.exeDirectory queried: C:\Users\user\Documents
Source: C:\Windows\System32\msiexec.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Windows\System32\msiexec.exeDirectory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Windows\System32\msiexec.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIU
Source: C:\Windows\System32\msiexec.exeDirectory queried: C:\Users\user\Documents\TQDFJHPUIU
Source: C:\Windows\System32\msiexec.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Windows\System32\msiexec.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Windows\System32\msiexec.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Windows\System32\msiexec.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Windows\System32\msiexec.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Windows\System32\msiexec.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Windows\System32\msiexec.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Windows\System32\msiexec.exeDirectory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Windows\System32\msiexec.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Windows\System32\msiexec.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Windows\System32\msiexec.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Windows\System32\msiexec.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Windows\System32\msiexec.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Windows\System32\msiexec.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWT
Shows file infection / information gathering behavior (enumerates multiple directory for files)Show sources
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: number of queries: 2184

Persistence and Installation Behavior:

barindex
Installs new ROOT certificatesShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
Drops PE filesShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeFile created: C:\Users\user\AppData\Roaming\msiexec.exeJump to dropped file
Installs a Chrome extensionShow sources
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\zh_TW\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\zh_CN\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\uk\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\vi\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\tr\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\th\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\sr\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\sk\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\se\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\sl\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\ru\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\ro\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\pt_PT\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\pl\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\pt_BR\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\no\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\nl\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\lv\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\lt\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\ko\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\ja\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\it\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\id\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\hu\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\hr\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\hi\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\fr\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\fil\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\fi\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\en\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\es\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\el\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\de\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\da\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\cs\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\ca\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\bg\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\_locales\ar\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\zh_TW\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\zh_CN\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\vi\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\uk\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\th\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\tr\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\sv\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\sr\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\sl\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\sk\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\ru\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\ro\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\pt_PT\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\pt_BR\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\pl\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\no\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\nl\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\lv\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\ko\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\lt\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\ja\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\it\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\id\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\hr\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\hu\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\hi\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\he\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\fr\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\fil\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\fi\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\et\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\es_419\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\es\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\en_US\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\en_GB\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\en\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\el\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\de\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\da\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\cs\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\ca\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\bg\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\_locales\ar\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\zh_TW\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\zh_CN\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\vi\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\uk\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\tr\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\th\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\sv\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\sr\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\sl\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\sk\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\ru\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\ro\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\pt_PT\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\pt_BR\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\pl\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\no\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\nl\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\lv\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\lt\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\ko\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\ja\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\it\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\id\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\hu\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\hr\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\hi\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\he\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\fr\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\fil\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\fi\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\es\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\el\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\en\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\de\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\cs\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\da\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\ca\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\bg\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\_locales\ar\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\zh_TW\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\zh_CN\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\vi\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\uk\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\tr\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\th\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\sv\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\sr\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\sl\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\sk\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\ru\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\ro\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\pt_PT\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\pt_BR\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\pl\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\no\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\ms\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\nl\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\lv\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\ko\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\lt\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\it\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\id\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\ja\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\hu\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\hr\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\hi\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\he\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\fr\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\fi\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\fil\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\eu\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\es_419\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\et\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\es\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\en_US\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\en_GB\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\el\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\de\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\da\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\cs\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\ca\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\bg\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\_locales\ar\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.0.0.6_0\==READ==THIS==PLEASE==4DE0B309.txt

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_0000000100006600 GetModuleFileNameW,GetLastError,RegCreateKeyExW,lstrlenW,RegSetValueExW,lstrlenW,RegSetValueExW,RegCloseKey,RegCreateKeyExW,RegOpenKeyExW,RegQueryValueExW,memset,CreateProcessW,WaitForSingleObject,CloseHandle,CloseHandle,RegCloseKey,wcsrchr,lstrlenW,RegSetValueExW,lstrlenW,RegSetValueExW,RegCloseKey,LoadLibraryW,GetProcAddress,5_2_0000000100006600
PE file contains an invalid checksumShow sources
Source: GAygkOwh9tStatic PE information: real checksum: 0x0 should be: 0x2ba8c
Source: msiexec.exe.4.drStatic PE information: real checksum: 0x21eb2 should be: 0x13f470
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_013619F0 push rax; ret 4_2_01361A42
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_013642B4 push rax; ret 4_2_01364302
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01362B45 push rax; ret 4_2_01362B92
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01363090 push rax; ret 4_2_013630D2
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_0136435B push rax; ret 4_2_013643B2
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01365A30 push rax; ret 4_2_01365A72
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01361CEA push rax; ret 4_2_01361D42
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01363913 push rax; ret 4_2_01363962
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01365C50 push rax; ret 4_2_01365C92
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_0136248D push rax; ret 4_2_013624E2
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01363C04 push rax; ret 4_2_01363C52
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01365220 push rax; ret 4_2_01365272
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01364270 push rax; ret 4_2_013642B2
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01361773 push rax; ret 4_2_013617C2
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01362AA0 push rax; ret 4_2_01362AF2
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01363CFB push rax; ret 4_2_01363D52
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_013615E0 push rax; ret 4_2_01361622
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_013638BC push rax; ret 4_2_01363912
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01361B40 push rax; ret 4_2_01361B82
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01365D3A push rax; ret 4_2_01365D92
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01363C53 push rax; ret 4_2_01363CA2
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01364C90 push rax; ret 4_2_01364CD2
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01361C3C push rax; ret 4_2_01361C92
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01365D93 push rax; ret 4_2_01365DE2
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01363A6C push rax; ret 4_2_01363AC2
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01365280 push rax; ret 4_2_013652C2
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_013633D0 push rax; ret 4_2_01363412
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_013628E3 push rax; ret 4_2_01362932
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_013621DB push rax; ret 4_2_01362232
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01362693 push rax; ret 4_2_013626E2
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01362C83 push rax; ret 4_2_01362CD2

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Users\user\AppData\Roaming\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\Jump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Word\Jump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\Jump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\Request\Jump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
Shows file infection / information gathering behavior (enumerates multiple directory for files)Show sources
Source: C:\Users\user\AppData\Roaming\msiexec.exeDirectory queried: number of queries: 2184
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01378D80 FindFirstFileW,4_2_01378D80
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_0136F750 FindFirstFileW,4_2_0136F750
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_1_01378D80 FindFirstFileW,4_1_01378D80
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_1_0136F750 FindFirstFileW,4_1_0136F750
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_00398D80 FindFirstFileW,5_2_00398D80
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 6_2_0018F750 FindFirstFileW,6_2_0018F750
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 6_2_00198D80 FindFirstFileW,6_2_00198D80
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 7_2_00508D80 FindFirstFileW,7_2_00508D80
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 7_2_004FF750 FindFirstFileW,7_2_004FF750
Contains functionality to query local drivesShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01371DA0 GetLogicalDriveStringsW,GetLogicalDriveStringsW,4_2_01371DA0

System Summary:

barindex
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01375AC0 LoadLibraryExW,GetNativeSystemInfo,SHGetFolderPathW,CreateFileW,WriteFile,CreateFileTransactedW,WriteFile,NtCreateSection,NtCreateProcessEx,RtlCreateProcessParametersEx,VirtualAllocEx,WriteProcessMemory,NtQueryInformationProcess,WriteProcessMemory,NtCreateThreadEx,4_2_01375AC0
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_1_01375AC0 LoadLibraryExW,GetNativeSystemInfo,SHGetFolderPathW,CreateFileW,WriteFile,CreateFileTransactedW,WriteFile,NtCreateSection,NtCreateProcessEx,RtlCreateProcessParametersEx,VirtualAllocEx,WriteProcessMemory,NtQueryInformationProcess,WriteProcessMemory,NtCreateThreadEx,4_1_01375AC0
Contains functionality to delete servicesShow sources
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_0000000100001020 DeleteService,5_2_0000000100001020
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01377EC04_2_01377EC0
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01374B904_2_01374B90
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_013793B04_2_013793B0
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_013767004_2_01376700
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_0136E9F04_2_0136E9F0
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01378FD04_2_01378FD0
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_0136A9D04_2_0136A9D0
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01375AC04_2_01375AC0
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_013799104_2_01379910
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_0136A3A04_2_0136A3A0
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_013721B04_2_013721B0
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_013735604_2_01373560
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_013698A04_2_013698A0
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01369E804_2_01369E80
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_013663C04_2_013663C0
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_0136D4404_2_0136D440
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_1_01377EC04_1_01377EC0
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_1_01374B904_1_01374B90
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_1_013793B04_1_013793B0
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_1_013767004_1_01376700
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_1_0136E9F04_1_0136E9F0
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_1_01378FD04_1_01378FD0
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_1_0136A9D04_1_0136A9D0
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_1_01375AC04_1_01375AC0
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_1_013799104_1_01379910
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_1_0136A3A04_1_0136A3A0
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_1_013721B04_1_013721B0
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_1_013735604_1_01373560
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_1_013698A04_1_013698A0
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_1_01369E804_1_01369E80
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_1_013663C04_1_013663C0
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_1_0136D4404_1_0136D440
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_0038E9F05_2_0038E9F0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_003993B05_2_003993B0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_00398FD05_2_00398FD0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_003921B05_2_003921B0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_003999105_2_00399910
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_00389E805_2_00389E80
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_003967005_2_00396700
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_0038A9D05_2_0038A9D0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_00397EC05_2_00397EC0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_003935605_2_00393560
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_0038A3A05_2_0038A3A0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_003898A05_2_003898A0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_003863C05_2_003863C0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_00395AC05_2_00395AC0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_0038D4405_2_0038D440
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_00394B905_2_00394B90
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_000000010000733C5_2_000000010000733C
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_00000001000077A85_2_00000001000077A8
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_00000001000066005_2_0000000100006600
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_0000000100009EFC5_2_0000000100009EFC
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_00000001000054605_2_0000000100005460
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_000000010000E4085_2_000000010000E408
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_000000010000B6745_2_000000010000B674
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_1_000000010000733C5_1_000000010000733C
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_1_00000001000077A85_1_00000001000077A8
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_1_00000001000066005_1_0000000100006600
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_1_0000000100009EFC5_1_0000000100009EFC
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_1_00000001000054605_1_0000000100005460
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_1_000000010000E4085_1_000000010000E408
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_1_000000010000B6745_1_000000010000B674
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 6_2_0018A9D06_2_0018A9D0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 6_2_0018E9F06_2_0018E9F0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 6_2_001993B06_2_001993B0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 6_2_00198FD06_2_00198FD0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 6_2_0018A3A06_2_0018A3A0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 6_2_001967006_2_00196700
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 6_2_001898A06_2_001898A0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 6_2_0018D4406_2_0018D440
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 6_2_00194B906_2_00194B90
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 6_2_00189E806_2_00189E80
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 6_2_001863C06_2_001863C0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 6_2_00197EC06_2_00197EC0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 6_2_00195AC06_2_00195AC0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 6_2_001999106_2_00199910
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 6_2_001935606_2_00193560
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 6_2_001921B06_2_001921B0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 7_2_00508FD07_2_00508FD0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 7_2_004FA9D07_2_004FA9D0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 7_2_005093B07_2_005093B0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 7_2_004FE9F07_2_004FE9F0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 7_2_005099107_2_00509910
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 7_2_005021B07_2_005021B0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 7_2_004F9E807_2_004F9E80
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 7_2_00505AC07_2_00505AC0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 7_2_005035607_2_00503560
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 7_2_004F63C07_2_004F63C0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 7_2_004F98A07_2_004F98A0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 7_2_004FD4407_2_004FD440
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 7_2_005067007_2_00506700
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 7_2_004FA3A07_2_004FA3A0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 7_2_00507EC07_2_00507EC0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 7_2_00504B907_2_00504B90
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: String function: 000000010000A81C appears 48 times
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: String function: 00000001000126F8 appears 36 times
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: String function: 0000000100010534 appears 38 times
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: String function: 000000010000FA28 appears 34 times
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: String function: 0000000100001278 appears 46 times
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: String function: 000000010000F0A4 appears 50 times
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: String function: 0000000100016AC0 appears 78 times
PE file contains strange resourcesShow sources
Source: msiexec.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msiexec.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE file does not import any functionsShow sources
Source: GAygkOwh9tStatic PE information: No import functions for PE file found
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hosts
Sample file is different than original file name gathered from version infoShow sources
Source: GAygkOwh9t.exe, 00000004.00000003.16861321264.0000000004977000.00000004.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs GAygkOwh9t
Source: GAygkOwh9t.exe, 00000004.00000002.16911100358.0000000004510000.00000008.sdmpBinary or memory string: OriginalFilenamewshtcpip.dll.muij% vs GAygkOwh9t
Source: GAygkOwh9t.exe, 00000004.00000002.16911338848.0000000004940000.00000008.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs GAygkOwh9t
Source: GAygkOwh9t.exe, 00000004.00000003.16876320775.0000000008070000.00000004.sdmpBinary or memory string: OriginalFilenameMSCTF.DLL.MUIj% vs GAygkOwh9t
Source: GAygkOwh9t.exe, 00000004.00000002.16906687970.0000000000757000.00000004.sdmpBinary or memory string: OriginalFilenamemsiexec.exeX vs GAygkOwh9t
Source: GAygkOwh9t.exe, 00000004.00000003.16875503379.0000000008070000.00000004.sdmpBinary or memory string: OriginalFilenamemsiexec.exe.muiX vs GAygkOwh9t
Source: GAygkOwh9t.exe, 00000004.00000002.16911141662.0000000004530000.00000008.sdmpBinary or memory string: OriginalFilenamewship6.dll.muij% vs GAygkOwh9t
Source: GAygkOwh9t.exe, 00000004.00000002.16911610238.00000000057F0000.00000008.sdmpBinary or memory string: OriginalFilenameKernelbasej% vs GAygkOwh9t
Source: GAygkOwh9t.exe, 00000004.00000002.16910505553.0000000001D70000.00000008.sdmpBinary or memory string: OriginalFilenamewinhttp.dll.muij% vs GAygkOwh9t
Source: GAygkOwh9t.exe, 00000004.00000003.16876270744.0000000008070000.00000004.sdmpBinary or memory string: OriginalFilenamemsimsg.dll.muiX vs GAygkOwh9t
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeSection loaded: ktmw32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: winsta.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: davhlpr.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: cscapi.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: browcli.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dll
Classification labelShow sources
Source: classification engineClassification label: mal100.evad.expl.spyw.troj.win@15/1083@9/100
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_0000000100004FD0 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,5_2_0000000100004FD0
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_1_0000000100004FD0 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,5_1_0000000100004FD0
Contains functionality to create servicesShow sources
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: memset,GetModuleFileNameW,GetLastError,memset,#197,#197,OpenSCManagerW,Sleep,CreateServiceW,GetLastError,#197,#197,CloseServiceHandle,CloseServiceHandle,GetLastError,5_2_000000010000DE34
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: memset,GetModuleFileNameW,GetLastError,memset,#197,#197,OpenSCManagerW,Sleep,CreateServiceW,GetLastError,#197,#197,CloseServiceHandle,CloseServiceHandle,GetLastError,5_1_000000010000DE34
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01374B90 LoadLibraryA,CreateToolhelp32Snapshot,Process32FirstW,K32EnumProcessModules,K32GetModuleFileNameExW,Process32NextW,4_2_01374B90
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_000000010000E108 StartServiceCtrlDispatcherW,GetLastError,5_2_000000010000E108
Contains functionality to register a service control handler (likely the sample is a service DLL)Show sources
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_000000010000E108 StartServiceCtrlDispatcherW,GetLastError,5_2_000000010000E108
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_1_000000010000E108 StartServiceCtrlDispatcherW,GetLastError,5_1_000000010000E108
Creates files inside the program directoryShow sources
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\==READ==THIS==PLEASE==4DE0B309.txt
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeFile created: C:\Users\user\AppData\Roaming\msiexec.exeJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: GAygkOwh9tStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeFile read: C:\Users\Public\Pictures\Sample Pictures\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: GAygkOwh9tvirustotal: Detection: 45%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\plugins\GAygkOwh9t.exe 'C:\Users\user\Desktop\plugins\GAygkOwh9t.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\msiexec.exe C:\Users\user\AppData\Roaming\msiexec.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\msiexec.exe C:\Users\user\AppData\Roaming\msiexec.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\msiexec.exe C:\Users\user\AppData\Roaming\msiexec.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\msiexec.exe C:\Users\user\AppData\Roaming\msiexec.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\msiexec.exe C:\Users\user\AppData\Roaming\msiexec.exe
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe
Source: unknownProcess created: C:\Windows\System32\notepad.exe 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\Searches\==READ==THIS==PLEASE==4DE0B309.txt
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeProcess created: C:\Users\user\AppData\Roaming\msiexec.exe C:\Users\user\AppData\Roaming\msiexec.exeJump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeProcess created: C:\Users\user\AppData\Roaming\msiexec.exe C:\Users\user\AppData\Roaming\msiexec.exeJump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeProcess created: C:\Users\user\AppData\Roaming\msiexec.exe C:\Users\user\AppData\Roaming\msiexec.exeJump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeProcess created: C:\Users\user\AppData\Roaming\msiexec.exe C:\Users\user\AppData\Roaming\msiexec.exeJump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeProcess created: C:\Users\user\AppData\Roaming\msiexec.exe C:\Users\user\AppData\Roaming\msiexec.exeJump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exeJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\notepad.exe 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\Searches\==READ==THIS==PLEASE==4DE0B309.txt
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\AppData\Roaming\msiexec.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeFile written: C:\Users\desktop.iniJump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: GAygkOwh9tStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: GAygkOwh9tStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: msiexec.pdb source: msiexec.exe, msiexec.exe, 00000006.00000002.17418373208.0000000100001000.00000020.sdmp, msiexec.exe, 00000007.00000000.16870267718.0000000100001000.00000020.sdmp, msiexec.exe, 00000008.00000001.16871418140.0000000100001000.00000020.sdmp, msiexec.exe, 00000009.00000001.16872144721.0000000100001000.00000020.sdmp, msiexec.exe.4.dr
Source: Binary string: msiexec.pdbE3 source: msiexec.exe, 00000005.00000001.16869031651.0000000100001000.00000020.sdmp, msiexec.exe, 00000006.00000002.17418373208.0000000100001000.00000020.sdmp, msiexec.exe, 00000007.00000000.16870267718.0000000100001000.00000020.sdmp, msiexec.exe, 00000008.00000001.16871418140.0000000100001000.00000020.sdmp, msiexec.exe, 00000009.00000001.16872144721.0000000100001000.00000020.sdmp, msiexec.exe.4.dr
Source: Binary string: ntdll.pdb source: GAygkOwh9t.exe, 00000004.00000003.16861572537.0000000008070000.00000004.sdmp, msiexec.exe, 00000005.00000003.16874916071.000000000AD50000.00000004.sdmp, msiexec.exe, 00000006.00000003.16870326739.0000000002DA0000.00000004.sdmp, msiexec.exe, 00000007.00000003.16885362918.0000000013EF0000.00000004.sdmp, msiexec.exe, 00000008.00000003.16883621084.0000000009C10000.00000004.sdmp, msiexec.exe, 00000009.00000003.16883555475.000000000D7E0000.00000004.sdmp, msiexec.exe, 0000000A.00000003.16901711017.0000000007720000.00000004.sdmp

HIPS / PFW / Operating System Protection Evasion:

barindex
Found Process Doppelgnging injection techniqueShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01375AC0 LoadLibraryExW,GetNativeSystemInfo,SHGetFolderPathW,CreateFileW,WriteFile,CreateFileTransactedW,WriteFile,NtCreateSection,NtCreateProcessEx,RtlCreateProcessParametersEx,VirtualAllocEx,WriteProcessMemory,NtQueryInformationProcess,WriteProcessMemory,NtCreateThreadEx,4_2_01375AC0
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_1_01375AC0 LoadLibraryExW,GetNativeSystemInfo,SHGetFolderPathW,CreateFileW,WriteFile,CreateFileTransactedW,WriteFile,NtCreateSection,NtCreateProcessEx,RtlCreateProcessParametersEx,VirtualAllocEx,WriteProcessMemory,NtQueryInformationProcess,WriteProcessMemory,NtCreateThreadEx,4_1_01375AC0
Allocates memory in foreign processesShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeMemory allocated: C:\Users\user\AppData\Roaming\msiexec.exe base: 27A30000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeMemory allocated: C:\Users\user\AppData\Roaming\msiexec.exe base: 27A30000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeMemory allocated: C:\Users\user\AppData\Roaming\msiexec.exe base: 27A30000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeMemory allocated: C:\Users\user\AppData\Roaming\msiexec.exe base: 27A30000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeMemory allocated: C:\Users\user\AppData\Roaming\msiexec.exe base: 27A30000 protect: page read and writeJump to behavior
Contains functionality to inject code into remote processesShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01375AC0 LoadLibraryExW,GetNativeSystemInfo,SHGetFolderPathW,CreateFileW,WriteFile,CreateFileTransactedW,WriteFile,NtCreateSection,NtCreateProcessEx,RtlCreateProcessParametersEx,VirtualAllocEx,WriteProcessMemory,NtQueryInformationProcess,WriteProcessMemory,NtCreateThreadEx,4_2_01375AC0
Creates a thread in another existing process (thread injection)Show sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeThread created: C:\Users\user\AppData\Roaming\msiexec.exe EIP: 170C0Jump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeThread created: C:\Users\user\AppData\Roaming\msiexec.exe EIP: 170C0Jump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeThread created: C:\Users\user\AppData\Roaming\msiexec.exe EIP: 170C0Jump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeThread created: C:\Users\user\AppData\Roaming\msiexec.exe EIP: 170C0Jump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeThread created: C:\Users\user\AppData\Roaming\msiexec.exe EIP: 170C0Jump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeMemory written: C:\Users\user\AppData\Roaming\msiexec.exe base: 27A35BC0Jump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeMemory written: C:\Users\user\AppData\Roaming\msiexec.exe base: 7FFFFFD8020Jump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeMemory written: C:\Users\user\AppData\Roaming\msiexec.exe base: 27A36F00Jump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeMemory written: C:\Users\user\AppData\Roaming\msiexec.exe base: 7FFFFFDF020Jump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeMemory written: C:\Users\user\AppData\Roaming\msiexec.exe base: 27A38240Jump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeMemory written: C:\Users\user\AppData\Roaming\msiexec.exe base: 7FFFFFDD020Jump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeMemory written: C:\Users\user\AppData\Roaming\msiexec.exe base: 27A39580Jump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeMemory written: C:\Users\user\AppData\Roaming\msiexec.exe base: 7FFFFFD4020Jump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeMemory written: C:\Users\user\AppData\Roaming\msiexec.exe base: 27A3A8C0Jump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeMemory written: C:\Users\user\AppData\Roaming\msiexec.exe base: 7FFFFFDF020Jump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeProcess created: C:\Users\user\AppData\Roaming\msiexec.exe C:\Users\user\AppData\Roaming\msiexec.exeJump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeProcess created: C:\Users\user\AppData\Roaming\msiexec.exe C:\Users\user\AppData\Roaming\msiexec.exeJump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeProcess created: C:\Users\user\AppData\Roaming\msiexec.exe C:\Users\user\AppData\Roaming\msiexec.exeJump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeProcess created: C:\Users\user\AppData\Roaming\msiexec.exe C:\Users\user\AppData\Roaming\msiexec.exeJump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeProcess created: C:\Users\user\AppData\Roaming\msiexec.exe C:\Users\user\AppData\Roaming\msiexec.exeJump to behavior
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_0000000100005460 FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,GetLastError,FreeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,GetLastError,FreeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,GetLastError,FreeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,GetLastError,FreeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,GetLastError,FreeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,GetLastError,FreeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,GetLastError,FreeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,FreeSid,AllocateAndInitializeSid,GetLengthSid,memset,GlobalAlloc,FreeSid,InitializeAcl,GetLastErro5_2_0000000100005460
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_000000010000523C AllocateAndInitializeSid,GetLastError,GetLengthSid,FreeSid,GetLengthSid,FreeSid,5_2_000000010000523C
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: msiexec.exe, 00000006.00000002.17398062824.0000000000730000.00000002.sdmp, msiexec.exe, 00000007.00000002.17422140491.00000000006E0000.00000002.sdmp, msiexec.exe, 0000000A.00000000.16878050646.0000000000AB0000.00000002.sdmpBinary or memory string: Program Manager
Source: msiexec.exe, 00000006.00000002.17398062824.0000000000730000.00000002.sdmp, msiexec.exe, 00000007.00000002.17422140491.00000000006E0000.00000002.sdmp, msiexec.exe, 0000000A.00000000.16878050646.0000000000AB0000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: msiexec.exe, 00000006.00000002.17398062824.0000000000730000.00000002.sdmp, msiexec.exe, 00000007.00000002.17422140491.00000000006E0000.00000002.sdmp, msiexec.exe, 0000000A.00000000.16878050646.0000000000AB0000.00000002.sdmpBinary or memory string: !Progman

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeSystem information queried: KernelDebuggerInformationJump to behavior
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeProcess queried: DebugPortJump to behavior
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01365DE3 rdtsc 4_2_01365DE3
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)Show sources
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_000000010000A81C GetLastError,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,GlobalFree,memset,OutputDebugStringW,SetLastError,5_2_000000010000A81C
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_0000000100006600 GetModuleFileNameW,GetLastError,RegCreateKeyExW,lstrlenW,RegSetValueExW,lstrlenW,RegSetValueExW,RegCloseKey,RegCreateKeyExW,RegOpenKeyExW,RegQueryValueExW,memset,CreateProcessW,WaitForSingleObject,CloseHandle,CloseHandle,RegCloseKey,wcsrchr,lstrlenW,RegSetValueExW,lstrlenW,RegSetValueExW,RegCloseKey,LoadLibraryW,GetProcAddress,5_2_0000000100006600
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_0000000100017530 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0000000100017530
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_000000010001729C SetUnhandledExceptionFilter,5_2_000000010001729C
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_1_0000000100017530 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_1_0000000100017530
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_1_000000010001729C SetUnhandledExceptionFilter,5_1_000000010001729C
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeMemory protected: page read and write and page guardJump to behavior

Malware Analysis System Evasion:

barindex
Found stalling execution ending in API Sleep callShow sources
Source: C:\Users\user\AppData\Roaming\msiexec.exeStalling execution: Execution stalls by calling Sleepgraph_5-9852
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01365DE3 rdtsc 4_2_01365DE3
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeThread delayed: delay time: 600000Jump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeThread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\msiexec.exeThread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\msiexec.exeThread delayed: delay time: 600000
Source: C:\Windows\System32\msiexec.exeThread delayed: delay time: 600000
Source: C:\Windows\System32\msiexec.exeThread delayed: delay time: 1200000
Enumerates the file systemShow sources
Source: C:\Users\user\AppData\Roaming\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Templates\Jump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Word\Jump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\Jump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\Request\Jump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\AppData\Roaming\msiexec.exeWindow / User API: threadDelayed 663Jump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeWindow / User API: threadDelayed 2621Jump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeWindow / User API: threadDelayed 767
Source: C:\Users\user\AppData\Roaming\msiexec.exeWindow / User API: threadDelayed 773
Source: C:\Users\user\AppData\Roaming\msiexec.exeWindow / User API: threadDelayed 2712
Source: C:\Windows\System32\msiexec.exeWindow / User API: threadDelayed 3809
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\AppData\Roaming\msiexec.exeAPI coverage: 5.1 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exe TID: 2472Thread sleep time: -600000s >= -60000sJump to behavior
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exe TID: 3124Thread sleep time: -420000s >= -60000sJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exe TID: 2476Thread sleep count: 663 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exe TID: 3148Thread sleep time: -600000s >= -60000sJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exe TID: 3580Thread sleep time: -60000s >= -60000sJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exe TID: 3140Thread sleep count: 2621 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exe TID: 3736Thread sleep time: -120000s >= -60000sJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exe TID: 3300Thread sleep time: -600000s >= -60000sJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exe TID: 3260Thread sleep count: 767 > 30
Source: C:\Users\user\AppData\Roaming\msiexec.exe TID: 3920Thread sleep time: -120000s >= -60000s
Source: C:\Users\user\AppData\Roaming\msiexec.exe TID: 3912Thread sleep time: -60000s >= -60000s
Source: C:\Users\user\AppData\Roaming\msiexec.exe TID: 3392Thread sleep time: -600000s >= -60000s
Source: C:\Users\user\AppData\Roaming\msiexec.exe TID: 3228Thread sleep count: 773 > 30
Source: C:\Users\user\AppData\Roaming\msiexec.exe TID: 3876Thread sleep time: -120000s >= -60000s
Source: C:\Users\user\AppData\Roaming\msiexec.exe TID: 3348Thread sleep time: -600000s >= -60000s
Source: C:\Users\user\AppData\Roaming\msiexec.exe TID: 3224Thread sleep count: 2712 > 30
Source: C:\Users\user\AppData\Roaming\msiexec.exe TID: 3900Thread sleep time: -120000s >= -60000s
Source: C:\Users\user\AppData\Roaming\msiexec.exe TID: 3352Thread sleep time: -600000s >= -60000s
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\AppData\Roaming\msiexec.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\msiexec.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01378D80 FindFirstFileW,4_2_01378D80
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_0136F750 FindFirstFileW,4_2_0136F750
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_1_01378D80 FindFirstFileW,4_1_01378D80
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_1_0136F750 FindFirstFileW,4_1_0136F750
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_00398D80 FindFirstFileW,5_2_00398D80
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 6_2_0018F750 FindFirstFileW,6_2_0018F750
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 6_2_00198D80 FindFirstFileW,6_2_00198D80
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 7_2_00508D80 FindFirstFileW,7_2_00508D80
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 7_2_004FF750 FindFirstFileW,7_2_004FF750
Contains functionality to query local drivesShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_01371DA0 GetLogicalDriveStringsW,GetLogicalDriveStringsW,4_2_01371DA0
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_013756F0 GetSystemInfo,4_2_013756F0
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeProcess information queried: ProcessInformationJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)Show sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SystemCertificates\AuthRootJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\msiexec.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msiexec.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msiexec.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOALIGNMENTFAULTEXCEPT and NOGPFAULTERRORBOX and NOOPENFILEERRORBOX

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Adds / modifies Windows certificatesShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 BlobJump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: memset,#197,GetACP,LoadLibraryW,GetProcAddress,GetLocaleInfoW,FreeLibrary,FormatMessageW,memset,GetVersionExW,GlobalAlloc,GlobalFree,#197,#199,GlobalFree,lstrlenW,WriteFile,WriteFile,5_2_000000010000ADEC
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: memset,#197,GetACP,LoadLibraryW,GetProcAddress,GetLocaleInfoW,FreeLibrary,FormatMessageW,memset,GetVersionExW,GlobalAlloc,GlobalFree,#197,#199,GlobalFree,lstrlenW,WriteFile,WriteFile,5_1_000000010000ADEC
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_0137A690 cpuid 4_2_0137A690
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\Searches\==READ==THIS==PLEASE==4DE0B309.txt VolumeInformation
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_0000000100017474 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,5_2_0000000100017474
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeCode function: 4_2_0136B040 GetComputerNameExW,GetComputerNameW,GetUserNameW,4_2_0136B040
Contains functionality to query windows versionShow sources
Source: C:\Users\user\AppData\Roaming\msiexec.exeCode function: 5_2_000000010000A9AC GetVersionExW,5_2_000000010000A9AC
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\plugins\GAygkOwh9t.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 553091 Sample: GAygkOwh9t Startdate: 11/05/2018 Architecture: WINDOWS Score: 100 45 Antivirus detection for submitted file 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 May check the online IP address of the machine 2->49 51 Detected TCP or UDP traffic on non-standard ports 2->51 7 GAygkOwh9t.exe 1 28 2->7         started        process3 dnsIp4 33 ipinfo.io 7->33 35 ocsp.int-x3.letsencrypt.org 7->35 25 C:\Users\user\AppData\Roaming\msiexec.exe, PE32+ 7->25 dropped 53 Found Process Doppelgnging injection technique 7->53 55 Installs new ROOT certificates 7->55 57 Creates autostart registry keys with suspicious names 7->57 61 5 other signatures 7->61 12 msiexec.exe 7->12         started        17 msiexec.exe 1 9 7->17         started        19 msiexec.exe 7 7->19         started        21 3 other processes 7->21 file5 59 May check the online IP address of the machine 33->59 signatures6 process7 dnsIp8 37 192.168.1.10 unknown unknown 12->37 39 192.168.1.11 unknown unknown 12->39 43 97 other IPs or domains 12->43 27 C:\Users\user\DownloadsbehaviorgraphAygkOwh9t, Unknown 12->27 dropped 29 C:\Users\user\AppData\...\Login Data-journal, Unknown 12->29 dropped 31 C:\Users\user\AppData\Local\...\Login Data, Unknown 12->31 dropped 63 Connects to many different private IPs via SMB (likely to spread or exploit) 12->63 65 Connects to many different private IPs (likely to spread or exploit) 12->65 67 Creates autostart registry keys with suspicious names 12->67 23 notepad.exe 12->23         started        69 Creates multiple autostart registry keys 17->69 71 Found stalling execution ending in API Sleep call 19->71 41 192.168.1.13, 3702, 443, 49188 unknown unknown 21->41 73 Tries to harvest and steal browser information (history, passwords, etc) 21->73 file9 75 Detected TCP or UDP traffic on non-standard ports 41->75 signatures10 process11

Simulations

Behavior and APIs

TimeTypeDescription
14:13:14API Interceptor55x Sleep call for process: GAygkOwh9t.exe modified
14:13:26API Interceptor729x Sleep call for process: msiexec.exe modified

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
GAygkOwh9t45%virustotalBrowse
GAygkOwh9t100%AviraTR/Ransom.xmaww

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
ocsp.int-x3.letsencrypt.org1%virustotalBrowse
ipinfo.io0%virustotalBrowse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
ocsp.int-x3.letsencrypt.org25ghrdhhahznt.exeb9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98maliciousBrowse
  • 95.101.1.88
81xeuvrqvaews.exeb9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98maliciousBrowse
  • 2.16.4.129
27gmhsmxougsnk.exeb9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98maliciousBrowse
  • 88.221.89.9
27gmhsmxougsnk.exeb9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98maliciousBrowse
  • 2.16.4.154
79korhqgtq.exeb9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98maliciousBrowse
  • 2.16.4.129
23ksxsyxxwq.exeb9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98maliciousBrowse
  • 96.17.109.10
35sefbnusuvn.exeb9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98maliciousBrowse
  • 80.239.247.60
31dmkbpddi.exeb9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98maliciousBrowse
  • 2.18.212.72
65jlyvvvpahz.exeb9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98maliciousBrowse
  • 2.22.23.67
7xednblozndpn.exeb9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98maliciousBrowse
  • 2.21.85.72
17ivuvyughkt.exeb9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98maliciousBrowse
  • 92.122.51.11
13bioycyjma.exeb9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98maliciousBrowse
  • 149.126.86.74
23rdjaoibjrv.exe20e76ae47db639efd6e6c92e6a85d0685d1f6b9a8fd8857e2e5c16101f886950maliciousBrowse
  • 88.221.144.42
75ilxaxqbuaac.exeb9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98maliciousBrowse
  • 63.130.164.105
33yhwinlmt.exeb9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98maliciousBrowse
  • 92.122.212.99
50pwunctmy.exeb9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98maliciousBrowse
  • 23.6.112.144
57xibanfkphz.exeb9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98maliciousBrowse
  • 2.16.4.184
http://aww.su/KMamfmaliciousBrowse
  • 23.59.191.98
sample-2.exe0fa1498340fca6c562cfa389ad3e93395f44c72fd128d7ba08579a69aaf3b126maliciousBrowse
  • 184.26.44.105
RCP HOLDINGS AUTHORIZATIONS.pdf3750d138e4ee00c3665fcab35fe6c1145d10087707927758cca8090c4d96bf81maliciousBrowse
  • 92.123.102.25

ASN

No context

Dropped Files

No context

Screenshots