Windows Analysis Report
RequestFeeEstimateApp.msi

Overview

General Information

Sample name:	RequestFeeEstimateApp.msi
Analysis ID:	1545776
MD5:	6ff29c2e00a2ec0c6ad386cd7aba0111
SHA1:	2223e3d3a1d9c214379ed39226565a8a295eca42
SHA256:	1b1254e810e86475bd3ebb4362e1495d16c39a377da3052796779b3445b840bc
Infos:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Checks for available system drives (often done to infect USB drives)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

May use bcdedit to modify the Windows boot settings

Modifies existing windows services

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Classification

Signatures

Source:	Binary string: c:\CIMSDevelopment\DOTNET45\Z_CIMSUtilities\LegalAdminFeeQuoteRequestApp\LegalAdminFeeQuoteRequestApp\obj\Debug\RequestFeeEstimateApp.pdb source: RequestFeeEstimateApp.exe.1.dr
Source:	Binary string: DPCA.pdb source: RequestFeeEstimateApp.msi, 5a8528.msi.1.dr, MSI44DE.tmp.1.dr, MSIA016.tmp.0.dr, MSI8AD3.tmp.0.dr, 5a852b.msi.1.dr, MSI7012.tmp.1.dr
Source:	Binary string: c:\CIMSDevelopment\DOTNET45\Z_CIMSUtilities\LegalAdminFeeQuoteRequestApp\LegalAdminFeeQuoteRequestApp\obj\Debug\RequestFeeEstimateApp.pdbH source: RequestFeeEstimateApp.exe.1.dr

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: 5a852a.rbs.1.dr, MSI31BD.tmp.1.dr	String found in binary or memory: http://www.pt.qld.gov.au
Source: RequestFeeEstimateApp.exe.config.1.dr	String found in binary or memory: http://www.pt.qld.gov.au/
Source: RequestFeeEstimateApp.exe.config.1.dr	String found in binary or memory: http://www.pt.qld.gov.au/site-footer/privacy/
Source: RequestFeeEstimateApp.exe.config.1.dr	String found in binary or memory: https://www.pt.qld.gov.au/fee-estimates
Source: RequestFeeEstimateApp.exe.config.1.dr	String found in binary or memory: https://www.pt.qld.gov.au/fee-estimates/#protection
Source: RequestFeeEstimateApp.exe.1.dr	String found in binary or memory: https://www.pt.qld.gov.au/media/1094/guide-for-financial-management-clients.pdf

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5a8528.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7012.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI44DE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5a8529.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5a8529.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI31BD.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}\_853F67D554F05449430E7E.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}\_FC1595DE29501BE620D66A.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}\_A85671EAB9534020145BAD.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5a852b.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5a852b.msi	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI7012.tmp

Jump to behavior

Sample file is different than original file name gathered from version info

Source: RequestFeeEstimateApp.msi

Binary or memory string: OriginalFilenameDPCA.DLL^ vs RequestFeeEstimateApp.msi

Source: metadata-2.1.dr	Binary string: highlight.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\66program files\windows sidebar\gadgets\rssfeeds.gadgeticon.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.1.dr	Binary string: wmplayer.exe.mui22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\BBprogram files (x86)\windows sidebar\gadgets\weather.gadget\images**undocked_black_moon-new_partly-cloudy.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\((windows\diagnostics\system\device\en-us
Source: metadata-2.1.dr	Binary string: buttonup_off.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.1.dr	Binary string: system.web.dynamicdata.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\BBprogram files (x86)\windows sidebar\gadgets\weather.gadget\images33docked_black_moon-waxing-gibbous_partly-cloudy.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.1.dr	Binary string: system.addin.contract.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.1.dr	Binary string: btn-previous-static.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.1.dr	Binary string: keypad.xml22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\99program files\dvd maker\shared\dvdstyles\specialoccasion,,specialnavigationup_selectionsubpicture.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.1.dr	Binary string: scenes_intro_bg_pal.wmv22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.1.dr	Binary string: acxtrnal.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\((windows\diagnostics\system\device\en-us
Source: metadata-2.1.dr	Binary string: sbdrop.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}

Source: classification engine

Classification label: clean5.winMSI@6/26@0/0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\The Public Trustee of Queensland

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\Public\Desktop\Request for Fee Estimate Application.lnk

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSIA016.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\RequestFeeEstimateApp.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 15D085CEE9AA24273C52817D86F1DFDC C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E19954DDDCA32EB259172C345C0E3285
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 15D085CEE9AA24273C52817D86F1DFDC C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E19954DDDCA32EB259172C345C0E3285	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior

Source: Request for Fee Estimate Application.lnk.1.dr	LNK file: ..\..\..\..\..\Windows\Installer\{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}\_FC1595DE29501BE620D66A.exe
Source: Request for Fee Estimate Application.lnk0.1.dr	LNK file: ..\..\..\Windows\Installer\{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}\_A85671EAB9534020145BAD.exe

Source: C:\Windows\System32\msiexec.exe	Automated click: Next >
Source: C:\Windows\System32\msiexec.exe	Automated click: Next >
Source: C:\Windows\System32\msiexec.exe	Automated click: Next >

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: RequestFeeEstimateApp.msi

Static file information: File size 1386496 > 1048576

Source:	Binary string: c:\CIMSDevelopment\DOTNET45\Z_CIMSUtilities\LegalAdminFeeQuoteRequestApp\LegalAdminFeeQuoteRequestApp\obj\Debug\RequestFeeEstimateApp.pdb source: RequestFeeEstimateApp.exe.1.dr
Source:	Binary string: DPCA.pdb source: RequestFeeEstimateApp.msi, 5a8528.msi.1.dr, MSI44DE.tmp.1.dr, MSIA016.tmp.0.dr, MSI8AD3.tmp.0.dr, 5a852b.msi.1.dr, MSI7012.tmp.1.dr
Source:	Binary string: c:\CIMSDevelopment\DOTNET45\Z_CIMSUtilities\LegalAdminFeeQuoteRequestApp\LegalAdminFeeQuoteRequestApp\obj\Debug\RequestFeeEstimateApp.pdbH source: RequestFeeEstimateApp.exe.1.dr

Source: RequestFeeEstimateApp.exe.1.dr

Static PE information: section name: .text entropy: 7.403983026003714

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7012.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\The Public Trustee of Queensland\Request for Fee Estimate Application\RequestFeeEstimateApp.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIA016.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI8AD3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI44DE.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7012.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI44DE.tmp			Jump to dropped file

May use bcdedit to modify the Windows boot settings

Source: metadata-2.1.dr	Binary or memory string: bcdedit.exe22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\
Source: metadata-2.1.dr	Binary or memory string: bcdedit.exe.mui22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\

Creates or modifies windows services

Source: C:\Windows\System32\msiexec.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher

Jump to behavior

Modifies existing windows services

Source: C:\Windows\System32\msiexec.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Windows\System32\msiexec.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Request for Fee Estimate Application.lnk

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7012.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\The Public Trustee of Queensland\Request for Fee Estimate Application\RequestFeeEstimateApp.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA016.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI44DE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI8AD3.tmp	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\msiexec.exe TID: 3428	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 3460	Thread sleep time: -420000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3536	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4008	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4008	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: metadata-2.1.dr	Binary or memory string: lsm.exe22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests,,microsoft-hyper-v-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\
Source: metadata-2.1.dr	Binary or memory string: iasmigplugin-dl.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests33microsoft-hyper-v-client-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\##windows\system32\spp\tokens\ppdlic
Source: metadata-2.1.dr	Binary or memory string: iasmigplugin-dl.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\syswow64\migwiz\replacementmanifests33microsoft-hyper-v-client-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\,,program files (x86)\internet explorer\en-us
Source: metadata-2.1.dr	Binary or memory string: imscmig.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests44microsoft-hyper-v-drivers-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 15D085CEE9AA24273C52817D86F1DFDC C			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E19954DDDCA32EB259172C345C0E3285			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Source:	Binary string: c:\CIMSDevelopment\DOTNET45\Z_CIMSUtilities\LegalAdminFeeQuoteRequestApp\LegalAdminFeeQuoteRequestApp\obj\Debug\RequestFeeEstimateApp.pdb source: RequestFeeEstimateApp.exe.1.dr
Source:	Binary string: DPCA.pdb source: RequestFeeEstimateApp.msi, 5a8528.msi.1.dr, MSI44DE.tmp.1.dr, MSIA016.tmp.0.dr, MSI8AD3.tmp.0.dr, 5a852b.msi.1.dr, MSI7012.tmp.1.dr
Source:	Binary string: c:\CIMSDevelopment\DOTNET45\Z_CIMSUtilities\LegalAdminFeeQuoteRequestApp\LegalAdminFeeQuoteRequestApp\obj\Debug\RequestFeeEstimateApp.pdbH source: RequestFeeEstimateApp.exe.1.dr

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: 5a852a.rbs.1.dr, MSI31BD.tmp.1.dr	String found in binary or memory: http://www.pt.qld.gov.au
Source: RequestFeeEstimateApp.exe.config.1.dr	String found in binary or memory: http://www.pt.qld.gov.au/
Source: RequestFeeEstimateApp.exe.config.1.dr	String found in binary or memory: http://www.pt.qld.gov.au/site-footer/privacy/
Source: RequestFeeEstimateApp.exe.config.1.dr	String found in binary or memory: https://www.pt.qld.gov.au/fee-estimates
Source: RequestFeeEstimateApp.exe.config.1.dr	String found in binary or memory: https://www.pt.qld.gov.au/fee-estimates/#protection
Source: RequestFeeEstimateApp.exe.1.dr	String found in binary or memory: https://www.pt.qld.gov.au/media/1094/guide-for-financial-management-clients.pdf

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5a8528.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7012.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI44DE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5a8529.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5a8529.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI31BD.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}\_853F67D554F05449430E7E.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}\_FC1595DE29501BE620D66A.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}\_A85671EAB9534020145BAD.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5a852b.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5a852b.msi	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI7012.tmp

Jump to behavior

Sample file is different than original file name gathered from version info

Source: RequestFeeEstimateApp.msi

Binary or memory string: OriginalFilenameDPCA.DLL^ vs RequestFeeEstimateApp.msi

Source: metadata-2.1.dr	Binary string: highlight.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\66program files\windows sidebar\gadgets\rssfeeds.gadgeticon.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.1.dr	Binary string: wmplayer.exe.mui22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\BBprogram files (x86)\windows sidebar\gadgets\weather.gadget\images**undocked_black_moon-new_partly-cloudy.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\((windows\diagnostics\system\device\en-us
Source: metadata-2.1.dr	Binary string: buttonup_off.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.1.dr	Binary string: system.web.dynamicdata.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\BBprogram files (x86)\windows sidebar\gadgets\weather.gadget\images33docked_black_moon-waxing-gibbous_partly-cloudy.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.1.dr	Binary string: system.addin.contract.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.1.dr	Binary string: btn-previous-static.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.1.dr	Binary string: keypad.xml22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\99program files\dvd maker\shared\dvdstyles\specialoccasion,,specialnavigationup_selectionsubpicture.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.1.dr	Binary string: scenes_intro_bg_pal.wmv22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.1.dr	Binary string: acxtrnal.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\((windows\diagnostics\system\device\en-us
Source: metadata-2.1.dr	Binary string: sbdrop.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}

Source: classification engine

Classification label: clean5.winMSI@6/26@0/0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\The Public Trustee of Queensland

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\Public\Desktop\Request for Fee Estimate Application.lnk

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSIA016.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\RequestFeeEstimateApp.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 15D085CEE9AA24273C52817D86F1DFDC C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E19954DDDCA32EB259172C345C0E3285
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 15D085CEE9AA24273C52817D86F1DFDC C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E19954DDDCA32EB259172C345C0E3285	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior

Source: Request for Fee Estimate Application.lnk.1.dr	LNK file: ..\..\..\..\..\Windows\Installer\{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}\_FC1595DE29501BE620D66A.exe
Source: Request for Fee Estimate Application.lnk0.1.dr	LNK file: ..\..\..\Windows\Installer\{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}\_A85671EAB9534020145BAD.exe

Source: C:\Windows\System32\msiexec.exe	Automated click: Next >
Source: C:\Windows\System32\msiexec.exe	Automated click: Next >
Source: C:\Windows\System32\msiexec.exe	Automated click: Next >

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: RequestFeeEstimateApp.msi

Static file information: File size 1386496 > 1048576

Source:	Binary string: c:\CIMSDevelopment\DOTNET45\Z_CIMSUtilities\LegalAdminFeeQuoteRequestApp\LegalAdminFeeQuoteRequestApp\obj\Debug\RequestFeeEstimateApp.pdb source: RequestFeeEstimateApp.exe.1.dr
Source:	Binary string: DPCA.pdb source: RequestFeeEstimateApp.msi, 5a8528.msi.1.dr, MSI44DE.tmp.1.dr, MSIA016.tmp.0.dr, MSI8AD3.tmp.0.dr, 5a852b.msi.1.dr, MSI7012.tmp.1.dr
Source:	Binary string: c:\CIMSDevelopment\DOTNET45\Z_CIMSUtilities\LegalAdminFeeQuoteRequestApp\LegalAdminFeeQuoteRequestApp\obj\Debug\RequestFeeEstimateApp.pdbH source: RequestFeeEstimateApp.exe.1.dr

Source: RequestFeeEstimateApp.exe.1.dr

Static PE information: section name: .text entropy: 7.403983026003714

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7012.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\The Public Trustee of Queensland\Request for Fee Estimate Application\RequestFeeEstimateApp.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIA016.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI8AD3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI44DE.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7012.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI44DE.tmp			Jump to dropped file

May use bcdedit to modify the Windows boot settings

Source: metadata-2.1.dr	Binary or memory string: bcdedit.exe22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\
Source: metadata-2.1.dr	Binary or memory string: bcdedit.exe.mui22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\

Creates or modifies windows services

Source: C:\Windows\System32\msiexec.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher

Jump to behavior

Modifies existing windows services

Source: C:\Windows\System32\msiexec.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Windows\System32\msiexec.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Request for Fee Estimate Application.lnk

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7012.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\The Public Trustee of Queensland\Request for Fee Estimate Application\RequestFeeEstimateApp.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA016.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI44DE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI8AD3.tmp	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\msiexec.exe TID: 3428	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 3460	Thread sleep time: -420000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3536	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4008	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4008	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: metadata-2.1.dr	Binary or memory string: lsm.exe22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests,,microsoft-hyper-v-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\
Source: metadata-2.1.dr	Binary or memory string: iasmigplugin-dl.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests33microsoft-hyper-v-client-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\##windows\system32\spp\tokens\ppdlic
Source: metadata-2.1.dr	Binary or memory string: iasmigplugin-dl.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\syswow64\migwiz\replacementmanifests33microsoft-hyper-v-client-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\,,program files (x86)\internet explorer\en-us
Source: metadata-2.1.dr	Binary or memory string: imscmig.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests44microsoft-hyper-v-drivers-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 15D085CEE9AA24273C52817D86F1DFDC C			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E19954DDDCA32EB259172C345C0E3285			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

ID:	1545776
Product:	CloudBasic
Start time:	00:59:11
Start date:	31.10.2024
Sample:	RequestFeeEstimateApp.msi
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	6ff29c2e00a2ec0c6ad386cd7aba0111
SHA1:	2223e3d3a1d9c214379ed39226565a8a295eca42
SHA256:	1b1254e810e86475bd3ebb4362e1495d16c39a377da3052796779b3445b840bc
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Config.Msi\5a852a.rbs	data	19ACAD40FAFE4CB009DDC1F0C9E8CD7B	755350A361405515FC2388742D376FAF3E96648B	A69A661C116A12A413C0FF1115B543E0C52176FBEFE32EEA3E90D6BCFD552595
C:\Program Files (x86)\The Public Trustee of Queensland\Request for Fee Estimate Application\PTQ_Seal.ico	MS Windows icon resource - 9 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel	2D4EBBA7237F864F370D31A2DAEC2089	B25BF414ADFC9A2EBFF0919F48A8F998941DD18B	0E1CD281B5AAF53954E5CECDC53B50D3BE787D834C1265213D941A6072FD808D
C:\Program Files (x86)\The Public Trustee of Queensland\Request for Fee Estimate Application\RequestFeeEstimateApp.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	2F9C41D29B1DD3067B70E9A93697E887	AEB6B3AF53631EDEF9CFC41D11B60FE0FE6BD572	5723753472D2838C947E55CE3079BFDF530FD683E45021BE5845AF0DBBFD6B4F
C:\Program Files (x86)\The Public Trustee of Queensland\Request for Fee Estimate Application\RequestFeeEstimateApp.exe.config	XML 1.0 document, ASCII text, with CRLF line terminators	238D1B72D7132AE0B496D159F010B888	1B79FEB98E8BD80F7DDBA0B6DB38EE5BDBD444E1	B414AE243E4987EEC967A030B91CAB0E38D946E9662199AAD8BC25E0098ACE20
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Request for Fee Estimate Application.lnk	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Icon number=0, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide	AF5A8FFC8DB84DCF2F4652DFE48BB3CC	E5F917472CAA3D64CE16FF80A54BDB7C25537455	711A8BDA748F22320019051C85EA9DDB7F10BD34289BACCBD506E2691D2C7B1C
C:\System Volume Information\SPP\OnlineMetadataCache\{fe7b918d-19da-4ca8-93fe-5495b57b5003}_OnDiskSnapshotProp	data	F519311D1E350811F2BA3F5A0B75D8F4	E8CBD19B69EFD2D3A5E8AE34A27127424EBC4340	37165DA3D030444509192BDB3728B94B810E8F64A3CAEC49B31E1CC50332653B
C:\System Volume Information\SPP\metadata-2	SysEx File - Twister	F0C4B102E647E325A8C88869A674934E	D7F1675452FB53C1601356154E8FE26F9215D0F6	5BE687AB73983F9457B37D6EC6BD10455A4A1BFC94FF1DBBB04AFC734F1D8AC8
C:\System Volume Information\SPP\snapshot-2	data	F519311D1E350811F2BA3F5A0B75D8F4	E8CBD19B69EFD2D3A5E8AE34A27127424EBC4340	37165DA3D030444509192BDB3728B94B810E8F64A3CAEC49B31E1CC50332653B
C:\Users\user\AppData\Local\Temp\CFGCCF0.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	C517737DD6B59D0BD576A0A484C12E8B	B5BEC2BDE6FFDB8BA9CF790E4BB97B02E78F8225	0774A3FD610BE54DAF2801AC6763F7FDE87073D95435900874C9A61B14F88F50
C:\Users\user\AppData\Local\Temp\CFGFDEF.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	C517737DD6B59D0BD576A0A484C12E8B	B5BEC2BDE6FFDB8BA9CF790E4BB97B02E78F8225	0774A3FD610BE54DAF2801AC6763F7FDE87073D95435900874C9A61B14F88F50
C:\Users\user\AppData\Local\Temp\MSI8AD3.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	DD2FED15306CBB7F32245077364A8FE1	57B96A29654E2CE235AFCC209AF63706341D2B7B	1274CCA896F0FD797B330E5EA4605A080DA505B7E14FFBBF4181B61AC998C649
C:\Users\user\AppData\Local\Temp\MSIA016.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	DD2FED15306CBB7F32245077364A8FE1	57B96A29654E2CE235AFCC209AF63706341D2B7B	1274CCA896F0FD797B330E5EA4605A080DA505B7E14FFBBF4181B61AC998C649
C:\Users\user\AppData\Local\Temp\~DF91053F43BDA8E722.TMP	data	2ED4B12BF2E821C4002608059C912AE4	F771A3CDD525B4347E0091ED50423449EF9ADECB	4FB38E1D60F6140430AC86A779B79612852E0D9B30E949B9B7746EC38D4F4434
C:\Users\user\AppData\Local\Temp\~DFA3758A8D517DBC85.TMP	data	87EB8A7655E3D83E1D4A5A76873BF766	BEE6F512A06E83EE93BC1D8096EC8DDD8B4F78A6	6DBF560EF4697CBDC19732781C2FF557C6AC9EB86E574CD34AC25119636D4C1E
C:\Users\user\AppData\Local\Temp\~DFA8CE440D36CE0491.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\Public\Desktop\Request for Fee Estimate Application.lnk	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Icon number=0, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide	85B910CC386DC7C631F28DF69CC453C1	103CB7CCB070BAC173B76E12A4268B3F8A3C6FAD	23AD24F4C2DE7F3C3D7B1F1D82D87A0F7D41294856458AC6B3F31E2378FDD9BA
C:\Windows\Installer\5a8528.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Create Time/Date: Mon Jun 21 08:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: Intel;1033, Number of Pages: 200, Revision Number: {58DACE45-1C39-4451-931D-0E84B499215B}, Title: Request for Fee Estimate Application, Subject: The Public Trustee provides estimates of its fund management fees to firms or organisations representing claimants in Court proceedings where damages may be awarded as a result of injury or disablement. The Request for Fee Estimate Application may be used by firms or organisations to request fee estimates from the Public Trustee., Author: The Public Trustee of Queensland, Comments: The Public Trustee provides estimates of its fund management fees to firms or organisations representing claimants in Court proceedings where damages may be awarded as a result of injury or disablement. The Request for Fee Estimate Application may be used by firms or organisations to request fee estimates from the Public Trustee., Number of Words: 2, Last Saved Time/Date: Mon Jul 9 02:53:09 2018, Last Printed: Mon Jul 9 02:53:09 2018	6FF29C2E00A2EC0C6AD386CD7ABA0111	2223E3D3A1D9C214379ED39226565A8A295ECA42	1B1254E810E86475BD3EBB4362E1495D16C39A377DA3052796779B3445B840BC
C:\Windows\Installer\5a8529.ipi	Composite Document File V2 Document, Cannot read section info	171FADDF34145029F458DCA616C12058	5D68CE6B8E6D1D07B9B1376105919D2ED6AFDE5A	21CA042F64B4A6A2E209C4176C4B5FF83A5E74D7C25103F4DA22FC5940BCCA24
C:\Windows\Installer\5a852b.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Create Time/Date: Mon Jun 21 08:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: Intel;1033, Number of Pages: 200, Revision Number: {58DACE45-1C39-4451-931D-0E84B499215B}, Title: Request for Fee Estimate Application, Subject: The Public Trustee provides estimates of its fund management fees to firms or organisations representing claimants in Court proceedings where damages may be awarded as a result of injury or disablement. The Request for Fee Estimate Application may be used by firms or organisations to request fee estimates from the Public Trustee., Author: The Public Trustee of Queensland, Comments: The Public Trustee provides estimates of its fund management fees to firms or organisations representing claimants in Court proceedings where damages may be awarded as a result of injury or disablement. The Request for Fee Estimate Application may be used by firms or organisations to request fee estimates from the Public Trustee., Number of Words: 2, Last Saved Time/Date: Mon Jul 9 02:53:09 2018, Last Printed: Mon Jul 9 02:53:09 2018	6FF29C2E00A2EC0C6AD386CD7ABA0111	2223E3D3A1D9C214379ED39226565A8A295ECA42	1B1254E810E86475BD3EBB4362E1495D16C39A377DA3052796779B3445B840BC
C:\Windows\Installer\MSI31BD.tmp	data	8085DEBF94D5322A9AAE216FDBE654A8	F07E5756D1B4BF4BE9C4D89D2C5F2B5A2F2A8F7D	25A7E9185A0CEDCBC5B43FA5F896215D739077C3F25499198C06731C3F4E9C5A
C:\Windows\Installer\MSI44DE.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	DD2FED15306CBB7F32245077364A8FE1	57B96A29654E2CE235AFCC209AF63706341D2B7B	1274CCA896F0FD797B330E5EA4605A080DA505B7E14FFBBF4181B61AC998C649
C:\Windows\Installer\MSI7012.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	DD2FED15306CBB7F32245077364A8FE1	57B96A29654E2CE235AFCC209AF63706341D2B7B	1274CCA896F0FD797B330E5EA4605A080DA505B7E14FFBBF4181B61AC998C649
C:\Windows\Installer\SourceHash{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}	Composite Document File V2 Document, Cannot read section info	2B969A3F439B19C21A204054107F0FE3	5D9EDC8BA8FCD9DDA8271BEFDFE3372C6A3AC4F1	5F57285BE691B55A987A2E8E6832D307FC4133215E878F43370AA06613613BA2
C:\Windows\Installer\{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}\_853F67D554F05449430E7E.exe	MS Windows icon resource - 9 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel	5EE612F98743557DC1E379A59B726A4E	1C1A08D3683ECD545C556F7A70499741FCFED2BD	9910D351858CC3EC827BB40A2434560715EDC9961D83F7A485FD176D1E0BC2A9
C:\Windows\Installer\{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}\_A85671EAB9534020145BAD.exe	MS Windows icon resource - 9 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel	5EE612F98743557DC1E379A59B726A4E	1C1A08D3683ECD545C556F7A70499741FCFED2BD	9910D351858CC3EC827BB40A2434560715EDC9961D83F7A485FD176D1E0BC2A9
C:\Windows\Installer\{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}\_FC1595DE29501BE620D66A.exe	MS Windows icon resource - 9 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel	5EE612F98743557DC1E379A59B726A4E	1C1A08D3683ECD545C556F7A70499741FCFED2BD	9910D351858CC3EC827BB40A2434560715EDC9961D83F7A485FD176D1E0BC2A9

Windows Analysis Report
RequestFeeEstimateApp.msi

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report RequestFeeEstimateApp.msi

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
RequestFeeEstimateApp.msi